War, Sabotage, And Fear In The Cyber Age – With NYT Reporter David Sanger, Part 1



Episode Table of Contents




  • [00:53] State of war, Sabotage, and Fear in the Cyber Age



  • [05:56] Cyber for Espionage Is a Prevalent Fearfulness in the Cyber Historic period



  • [11:36] A Crippling Cyber Attack



  • [17:50] The Incompetence of the U.s.a. Government



  • Most Our Invitee



War, Demolition, and Fright in the Cyber Age



Carolyn: This week, our guest is
David Sanger, New York Times national security contributor, and a senior writer. In his 38-twelvemonth reporting career for the New York Times, he has been on iii teams that have won Pulitzer prizes.


He’south a ii times bestseller on foreign policy and national security. This week, our conversation is virtually his latest book, which in the fall volition be an HBO documentary, The Perfect Weapon: War, Sabotage, and Fright in the Cyber Age. Welcome, David.


David: Bully to be here with both of you lot.


Carolyn: Thank y’all so much for being here and today we’re here to talk well-nigh your latest volume, which in the fall will exist an HBO documentary. Information technology’s The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age. I want to turn it over to you, Eric, to kicking us off.


Eric: I thought I’d kick it off with a reading quickly from the afterword of the volume, which I merely institute incredibly striking. It’due south actually a General Paul Nakasone’south confirmation hearing in March of 2018. He’s at present the director of NSA. It’s Senator Dan Sullivan, Republican from Alaska request him a series of questions. I merely want to read that quickly.


“What practice you think our adversaries call back right at present? If you do a cyber attack on America, what’s going to happen to them?” General Nakasone replies with, “And so basically I would say correct now, they do not think that much volition happen to them.” Senator Sullivan says, “They don’t fright u.s.?” “They don’t fear us.” “Then is that expert?” “That is not good, Senator.”



The Biggest and the Best Cyber Offensive Operations in the World



Eric: That’s correct from the managing director of the NSA in his confirmation hearing. David, I’d love to kick off the interview today with a little commentary there if you wouldn’t mind.


David: Certain. Commencement cheers for having me on. Writing the book was a sort of a culmination of more than a decade of reporting in this territory for the Times. I promise you’ll enjoy the HBO medico when it’s out, we hope in October, merely before the election. It’ll take y’all through a lot of these issues, including the ane that Full general Nakasone gets at in that location.


Which is essentially the question of deterrence, which is, if you accept at face value, the American claim that we take the biggest, the best cyber offensive operations in the world. That nosotros’re the ones who wiped out the Iranian centrifuges a decade agone in operation Olympic games. What many of your listeners know of is the Stuxnet attack.


David: If we’re the ones who went afterward the Russians in 2018 to disable the IRA. The Internet Research Agency before the midterm elections, and to go after a Russian intelligence. If we’re the ones who got into the North Korean missile plan, the Iranian missile program. If nosotros put a code in the Russian power filigree, as I’ve reported in an endeavor to sort of push back at them, then why are nosotros still being attacked?


The reply to that question is, that we haven’t figured out this deterrence matter. That cyber attacks happen at the brusk of war level. We’re seeing them happen then much because no 1 wants to take on the United states of america military directly.



In that location’southward a Lot Less Drama to Exercise a Cyber Weapon



David: Eric, you lot’re a veteran of all of this. Who wants to like ringlet up against the Fifth Fleet or something.


Eric: And why would you, if yous didn’t take to?


David: If you can exercise something equally cheap and as usable equally cyber. And cheap and usable are two very different things. Cheap, well, we worry a lot about nuclear weapons. I write a lot for the Times of nuclear that weapons but allow’due south face information technology. To go nuclear weapons, you need uranium or plutonium. You need a billion dollars or so worth of facilities, y’all need enrichment, yous demand the years to make a bomb.


To practice a cyber weapon, it’s going to take a lot less drama. It’s much easier to hide. You need some teenagers or millennials, some laptops, some stolen lawmaking from the NSA. God knows in that location’s a lot of that floating around. Some pizza, some Red Bull and you’re kind of ready to go.


Carolyn: That was one of the big aha moments for me, David, in your book. Any buffoon really with even only a lilliputian bit of money and a little scrap of determination can cause a lot of harm. It occurred to me that even I could cause a lot of impairment merely with the tools that I use every 24-hour interval. But with my social media tools.


David: You can, but you know, social media, Carolyn is almost a dissimilar type. When I think about cyber, I attempt to divide it upwardly according to how yous would use the weapon. For traditional weapons, we think differently about the dangers posed past rocks and arrows, by handguns, automated weapons, missiles, and nuclear bombs. There’s a large spectrum out there.



Cyber for Espionage Is a Prevalent Fear in the Cyber Age




In cyber, you have to think about cyber for espionage. That’south really how people brainstorm with this. Then you have to think about cyber for data manipulation. If I could change the targeting of missiles in the Pentagon’southward armory. Simply also if I could only become into the medical database and alter the blood types of every soldier and sailor. Imagine the amount of harm you could do.


Eric: Or change on a COVID vaccine for national reward.


David: Nosotros should come dorsum at that. If you want to utilize cyber for demolition, that’south the Islamic republic of iran case, that’s the North korea case. That’south the Sony hack where the N Koreans came in and not just revealed emails from within Sony.  That is a office a lot of people remember. What they forget is that they destroyed 70% of Sony Pictures Entertainment’s computer systems.


Carolyn: I didn’t realize that. I remember the emails you’re right, merely I did not realize what they did to their network and their computers.


Eric: It was horrible.


David: When the emails came out, we learned the of import national security information that Angelina Jolie’due south reportedly difficult to work with on the fix. National Enquirer had a great time with that. But they didn’t do very much with the meltdown of 70% of the computer systems. Think what it would have taken if the North Koreans didn’t have cyber. How would they have destroyed Sony’s computer systems in response to their release of the interviews.


Eric: They wouldn’t take stopped that horrible movie’s release. They nonetheless didn’t in this case.



A Really Bad Comedy




David: I oftentimes say to my kids that 100 years from now, when people say, “Grandpa, what started the war between Northward Korea and the United States?” The answer is going to be, “Well, you have to empathize that there was this really bad comedy that came out.”


Just if yous were going to become do this without cyber, what would you have to do? You would have to state, some saboteurs at Long Beach. Grab an Uber up to the Sony studios, hope that the bout was on. It’s probably been canceled now for COVID purposes. Sideslip off of the tour and stick dynamite underneath the computer centre and blow it sky-high.


Now, if that had happened, whoever was president, Barack Obama, Donald Trump, Joe Biden, Hillary Clinton, a Martian. They all would have had to become respond with a armed forces response against Kim Jong-un. It would’ve looked similar an international terrorism incident in the middle of LA.


Carolyn: I would contend what they did was more extensive than what they could have done with the scenario yous simply described.


Eric: And cheaper and easier.


David: And never had to enter the U.s..


Eric: David, this is the problem that I get stuck on with the government customers, whether it’s in the U.s.a. or elsewhere. If a plane is flying over the United States, crossing our boundaries, the air strength has responsibility. Somebody comes rolling beyond the borders, it’s the army. If they’re ships off the coast, it’due south the navy. If a foreign nation-state enters our power grid and take something downwardly, it’s DHS.



The Assault Scenario Instigated Fear in the Cyber Historic period



Eric: Yes. Sometimes, unless it’southward Duke power or a private power company, they don’t want DHS or NSA or anybody else invited in because they’re agape of their stock cost or something. There’s nobody, there’s no one pharynx to choke as I like to say. There is nobody that can be held accountable considering there’s no 1 entity that’due south responsible. Even if you get attribution downwardly, which is tough.


David: One of the things I did in reporting for this book, they were kind enough to let me in on the simulation that one time every two years, the electric power grid industry, including Duke, participates in for a mass attack on the Usa power grid. It was a really good simulation the yr I sat in. The book came out in 2018. I was probably in, this was either December of 2017 or January of 2018.


In the attack scenario, information technology was a combined cyber and physical assail. Y’all had cyber attacks happening to accept out ability stations in the United States. Meanwhile, you had snipers coming in and basically shooting at these facilities and so that y’all couldn’t go your reckoner experts in and out of the buildings to actually bring the cyber attack. Recoup for it and bring information technology dorsum up, try to remediate it.


It was a really skilful scenario. Then in that location’south a phone call with all of their CEOs, which the bodily CEOs joined of many of the big power companies. I discovered that their response was completely disjointed from whatever was happening in the White Firm State of affairs Room. There was just no connection whatsoever.



A Crippling Cyber Attack



Eric: Let me enquire y’all a question and this is going to sound obvious. Why would you look it to be continued? The entities themselves don’t work together typically?


David: They’re getting at that place, they’ve been spending years trying to gather to piece of work more cooperatively. I would actually take to say that the two industries that accept done this the best, have been the electric ability manufacture and the financial manufacture.


Those are the two that have realized that a crippling cyber assail would exist the end of their business. If Bank of America or JP Morgan Chase went down in a total cyber attack, y’all know that you would pick your coin up. Move it to someplace you thought protected information technology improve.


They might non protect it better, but you lot’d probably pick up your money and motility it anyway. They take been so concerned about it that they’ve spent hundreds of millions of dollars a twelvemonth on protecting the systems. What I worry about more that is non the Cyber Pearl Harbor, the phrase that you hear politicians use simply the grinding smaller attacks.


The Russians, the Chinese, the Northward Koreans, the Iranians, they all realize that if you do a mega attack on the US, you’re going to probably be visited by some B2s. Just if you do short of war attacks, you tin can get away with a lot.


Eric: That’southward that low-grade cyber disharmonize yous talk nearly. I think yous call it low level, never-catastrophe cyber conflict would just continue. Your book goes through a decade-plus of examples where information technology’s just a little chip.



An Innovative Russian Attack



Carolyn: Which is what we’ve been seeing Russian federation do. They simply become right up to the edge.


Eric: Well, Russia, Red china, Iran, everybody.


David: Wait at what we learned last week. All of them. But last week nosotros wrote a story well-nigh a really innovative Russian assail. We’re not even sure it was a government assail. The Russians looked out and saw everybody working from dwelling house.


They said, “Okay, I want to place employees who piece of work for really big fortune 500 companies. I don’t desire to spend my time cyber attacking mom and pop stores.” Okay? “I want to become right after the biggest fish in the pond.”


Then what did they do? They looked at who was using VPN, virtual individual networks from home into work. They don’t take to go into the VPN, they just have to see that that VPN is the New York Times or General Electric or Boeing. And they say, “Oh, Eric and Carolyn, they piece of work for Boeing. So if we tin get into their laptop, they will accept us through their VPN.”


Eric: That was a great article.


Carolyn: That’s ane of the things that struck me about the OPM alienation. Non technically, my records were part of that breach. I idea about information technology for a infinitesimal and I’chiliad like, “Eh, I’m a low-level marketer. It’due south non a big bargain.” But and so you offset to connect the dots and how these foreign nationals are really mapping out the soft underbelly of our workings. I might exist that footling thread that they might cull to pull considering I do hold a clearance. They tin can make it with my credentials.



We’re All a Part of a Cyber Tapestry



Carolyn: It became clear to me how we’re all function of this cyber tapestry that you lot weave for us.


David: What’s really fascinating about OPM, information technology’s the Role of Personnel Management. It was a Chinese hack. There are a few really fascinating elements to it. Commencement, the Obama assistants never told anybody that it was China. Information technology leaked out, we published it. But they never officially came out and did it which was a huge failure of deterrence, number one.


Number 2, nosotros accept learned since that the aforementioned units that did OPM, also so turned around and did the Anthem healthcare hack. That’s what we call the Marriott hack, but information technology was really on the Starwood Hotels, which Marriott later acquired. Nosotros’ve discovered a serial of other attacks at the aforementioned time. So what was this well-nigh?


First, what it was about was collecting a bang-up database of who’s got security clearances effectually America. Second, to go that security clearance, both of you lot probably had to become fill out this incredibly long grade called an SF-86. You probably hated every minute of it.


Eric: I really go dorsum to my SF-86 sometimes if I want to sympathize something or remember something well-nigh where I was somewhere.  It’s so comprehensive, David.


David: It’s incredibly comprehensive. What the Chinese got was not just your name and your social security number. They get your kids, your medical history, your financial history, every human relationship you have e’er been in. Imagine the utility of that. They get every foreigner yous have ever met if you could perchance retrieve.


I was a foreign correspondent in Nippon for six years. I’m going to sit there and listing every Japanese I ever met for six years? Information technology’southward incredibly comprehensive.



The Incompetence of the US Government



David: From the Marriott hack, they get where y’all stayed and perchance who you were traveling with. From the healthcare hack, they get your medical records. It’s a pretty fabled database and what did we discover? As I describe in the volume, the CIA really had to pull back people who they were getting ready to assign to China.


Who had been training for years to become in under some form of deep cover in China. Considering of a sudden the Chinese either had all their records or when they prove up and announced that they’re going to exist the agricultural secretarial assistant in the diplomatic mission and they see that their records aren’t there. It’s like why didn’t they just come in with the letters CIA emblazoned on their forehead.


Eric: When they’re burned for life too. An entire generation or more of assets are substantially non-real at this signal.


David: Think nigh the incompetence of the US regime here. For your listeners, I know I work for the New York Times, everybody thinks that they’re axiomatic for Donald Trump. This happened during the Obama administration.


The incompetence hither was the Pentagon, the intelligence agencies all locked down their personnel records. Nobody thought about the fact that the most boring bureaucracy in Washington, the Role of Personnel Management, held the clearance records for 22 million people.


Carolyn: Were they there considering they happen to have a storage room? Am I remembering that right?


David: What you’re remembering is OPM did these searches. Congress didn’t take enough computer space to continue all of your records. So congress had mandated out of the best of intentions. That before you lot go off and you buy cloud services and spend the taxpayer’s coin, y’all go look around for empty space in the US authorities.



The Fearfulness in the Cyber Age for the Total Capability of Cyber



David: So keen, they constitute it across the mall at the Department of the Interior where we protected your clearance information with buffalo migration in Yellowstone.


Eric: It just goes to show the cost-effective nature and the total adequacy of cyber, whether you’re doing it for exploitation or offensive deportment. It’southward and then powerful. Like you lot said, David, the deterrence piece. Where is the deterrence?


David: Information technology’s missing. To General Nakasone’southward credit, he has worked really difficult on edifice upward American deterrence efforts. One of the ways he has done that is he got the president to sign a fairly surreptitious executive orders, it’southward described in the book, in August of 2018. John Bolton discusses information technology in his new memoir. That begins to put more power into the easily of Us Cyber Command and NSA, he commands both.


Enables them to conduct short of war operations without going through lengthy processes to get approval from the president for each strike. That stuff he did against the Russians in 2018, he did nether that authority. We don’t know how oft he’s used it, but that is good. It’south particularly good because as anybody who has worked for Donald Trump volition tell you, getting him to approve doing something that pushes back on the Russians is not the easiest task around.


Carolyn: There was just besides much to cover with David for one episode. We’re going to go on our chat with David on adjacent week’s episode. Nosotros will get to his list of things nosotros must exercise when it comes to cyber-warfare. And his take on the security of the upcoming elections.



Almost Our Guest










David Sanger
is a national security correspondent and a senior author. In a 38-year reporting career for The New York Times, he has been on iii teams that have won Pulitzer Prizes, most recently in 2017 for international reporting. His latest book, soon to be an HBO documentary: The Perfect Weapon: State of war, Sabotage, and Fear in the Cyber Historic period.


It examines the emergence of cyber conflict as the main fashion large and modest states are competing and undercutting each other, changing the nature of global power. For NYT, Sanger has served as Tokyo bureau primary, Washington economical contributor, White House contributor during the Clinton and Bush administrations, and master Washington correspondent.

Source: https://www.forcepoint.com/resources/podcasts/war-sabotage-and-fear-cyber-age-nyt-reporter-david-sanger-ep-87-part-1

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …