War, Sabotage, And Fear In The Cyber Age – With NYT Reporter David Sanger, Part 2



Role Two: New York Times  reporter, Pulitzer prize winner and best selling writer,
David Sanger
discusses his latest book, presently to be an HBO special
“The Perfect Weapon: War, Sabotage, and Fear in the Cyber Historic period”, which focuses on cyberwarfare. This week gets to  David’s list of things we must exercise when information technology comes to cyberwarfare and his accept on the security of the upcoming elections.




Episode Table of Contents





  • [00:thirty] Who is David Sanger





  • [06:17] The Dandy American Capability Revealed





  • [13:47] The Only Effective Element





  • [20:35] David Sanger Talks Near the Upcoming Election





  • About Our Guest




Who is David Sanger




Carolyn: This week, we continue our conversation with
David Sanger, New York Time National Security Correspondent and a senior writer. In his 38-twelvemonth reporting career for the New York Times, he’s been on three teams that have won Pulitzer prizes.




Carolyn: He’south a two-time bestseller on foreign policy and national security. This week our chat goes back to his latest volume, which in the fall would be an HBO documentary,
The Perfect Weapon: State of war, Sabotage, and Fear in the Cyber Age. We get to David’s listing of things we must do when it comes to cyberwarfare. And become his take on the security of the upcoming elections.




Carolyn:

David, in my mind I take simplified and reduced the damage of major breaches such every bit Snowden downwardly to the leaked documents, but after reading your book, I believe information technology is a lot more than that, tin yous talk nigh the damage of a alienation beyond the documents themselves?





David: There are several. First of all, we’ve all gotten endured to the letter that you become. Yous probably got i after OPM saying, “Your data has been breached. I’ve given you a year’s worth of free information breach insurance.”



The Subtle Approach of Data Manipulation




Eric: Only if you are a government employee. You just get notified if you were not. I got more with Equifax, Domicile Depot, and a couple of others than I got from the OPM alienation.



David: Well, in the OPM breach, it was a ridiculous letter of the alphabet anyway. They never mentioned that it was China, something you might want to know. Equally if Xi Jinping was interested in your Visa card, Eric. He’due south got enough greenbacks to keep himself going for a little while. It told you the government wasn’t fifty-fifty thinking correctly.



David: At least in their public outreach to y’all almost what the importance of this breach was. Carolyn, you lot’ve raised a really interesting question. The daily breaches just brand yous experience vulnerable all the fourth dimension. That’s ane thing. The data manipulation, that’due south the stuff I worry about because they’re much more subtle.



David: If you redirect that missile, you’re probably not going to discover that your missile has been redirected until you’ve launched it. If you alter that database in the Pentagon with the blood types, you’re probably not going to discover that the claret types have been changed until someone dies. That’due south worrisome.




David: On the offensive stuff, information technology’s cracking that the Us is figuring out how to make utilise of this new applied science. If everybody else is doing information technology, we have to. Merely we are nowhere right now in setting international standards about what’s off-limits and what’south non.



David: If nosotros want to say permit’southward sit down with the Russians, the Chinese, maybe a few other big actors and come up to some sort of arms command understanding that says, what’s off-limits, guys? Power grids. Considering if y’all turn information technology off the power, it’s probably going to kill people.



An Attack on Our Every Fiber




David: It’south going to kill people, specially the most vulnerable. People at hospitals, people in nursing homes, people who are shoved into their houses.



Eric: Fifty-fifty people who demand food. At some point, the food supply system in a couple of days shuts downwards.



David: If you saw runs on supermarkets simply with the early days with coronavirus, imagine what you lot would see at that place.



Eric: We had information, we had power, we had the ability to keep the food at dwelling. It was a great drill, simply it was only 20% of the existent problem in my opinion.



David: What’s happened here now is that if you want to go the arms control agreement, yous have to say, okay. We’re going to give up attacks on the electrical grid. How about election arrangement? Should we all concur that we won’t attach election systems? Anyone wants to sign up for that? So forth and and so on.



Carolyn: That was where we saw Obama finally say, “Yous know what? This is an attack on our very fiber.”



David: If you can’t concur free elections, the cadre of commonwealth is undercut.



Carolyn: Didn’t we already try this and nobody else got onboard?



David: No, really the United nations tried information technology. A bunch of countries got onboard early on and so began to walk away. Merely think most us, supposing you took those proposals to the intelligence agencies. The kickoff thing they might say is, “Then what practise nosotros exercise?”



David: Similar no attacks on electrical grids? Has anybody briefed you on Nitro Zeus.




The Great American Capability Revealed




David: Information technology was the undercover US plan to take out the Islamic republic of iran ability grid if we got into a disharmonize with them in hopes that we wouldn’t take to bomb them. It might actually save lives.



Carolyn: That’due south scary too because doesn’t our enemy now accept the playbook on Nitro Zeus?



David: Our enemy may, but our enemy knew that we were capable of turning out their power filigree. When I hear people say, “Oh, you’ve revealed a great American capability.” The kickoff thing I say to them is I’m perfectly willing to hold back on publishing something that nosotros take reason to believe the Russians, the Chinese, the Iranians, the North Koreans don’t know most.




David: Turning off power grids? They’ve figured that one out. By the way, Stuxnet, which I wrote the start big pieces about how the U.S. government got at it. What tipped the Iranians off to the existence of Stuxnet? The code leaked because we and the Israelis made a coding mistake, or one of u.s. did.



Eric: It’due south interesting. In cyber, there’southward almost an equivalency between nation-states at this point. You could fence we’re slightly ahead of the Russians or the Chinese and accept many more people and more capability and more than time on their hands, whatever it is. There’s a full general equivalency, however we as a nation have the most to lose.




Eric: That’due south where we should be incentivized to come up to some level of assured deterrence. Considering information technology doesn’t get any better for usa. We have absolutely the most to lose in my opinion. David, y’all talk about that in the book. The five things the regime must admit as getting to some level.




Achieving a Semblance of a Balance of Power




Eric: I don’t know if I phone call it peace or I don’t know what you’d even call it.



David: What I arrive the book are the things that we demand to do to get a semblance of a balance of power. Look, this is difficult. In the early on days of the nuclear age, we thought we had a huge lead. And then we woke up 1 solar day and the Soviets had only conducted a nuclear exam. And then the Chinese did, then, of course, France-United kingdom had it. That was fine with united states, only so India, Islamic republic of pakistan, Israel got it.




David: We got to a signal now where there were nine states that either have alleged or undeclared nuclear weapons capability. Nosotros accept at least 35 states and probably closer to 40 or 45 that take sophisticated cyber capability. Still, we’re acting as if because we’ve got the latest and greatest, it’southward not really an issue. I don’t get that.



Eric: That’due south your premise number one. Essentially our cyber capabilities are no longer unique. They’re certainly not unique enough to exist a difference-maker.



David: Number 2 issue that you’ve got to think about is if you believe that y’all’ve got a lead but it’s diminishing, isn’t information technology in your interest to get to those understandings and agreements and your deterrent adequacy offset? Because equally that atomic number 82 goes away, that vanishes to nothing, nobody else is going to sign upward.



Eric: Your negotiation power weakens over time equally your adversaries become stronger. This is a hell of a lot cheaper for them to attack or to leverage than buying kinetic weapons.



A Public Health Problem Turned National Security Trouble




David: The 3rd thing is we’ve got the focus of how we spend money on defenses completely wrong. COVID’s taught the states in the past few months that what we thought was only a public health problem is actually a national security problem. Nosotros sent the Pentagon and the NSC, the National Security Quango, and others to think most biological weapons that would get dropped on the Usa.




David: And we didn’t recall nearly the dangers of tourists coming dorsum from Wuhan or teenagers on spring break. Whether or not it can have the same effects. In the cyber realm, we’re guilty of the same affair. We are spending the overwhelming amount of our defence budget on weapons systems we will never utilise. That does non give us a whole lot of defenses.



David: We are spending far too little coin merely I would debate more chiefly, far as well little mind share on the vulnerabilities created by things like cyber. Which as yous say, Eric, are so cheap. Information technology levels the playing fields for governments that couldn’t spend a hundredth or a thousandth of what we spend on our war machine.



Eric: You oft hear well-nigh the saying where the war machine is fighting the last war. Ane of the things y’all observe is the people who are in power who are making decisions, they came up through the showtime Gulf War where in that location was substantially no cyber or earlier that.




Eric: They don’t take the context, the framework that some people would to sympathise how the battlefield is shifting. The side by side war is absolutely going to have cyber. Information technology’ll probably have space. We’ve never had a war in cyber or space, similar an all-out declared state of war.



David Sanger Unpacks the Complexities of Not Naming the Attacks




Eric: That’s going to be challenging to us. We take aircraft carrier battle groups everywhere that are ineffective to stop an attack on our power filigree.



David: That’s absolutely right. At that place’due south no major military plan for any major military power that doesn’t accept cyber built into the outset 24 hours. That makes a huge difference.



Carolyn: One of your points too is merely that we’ve got to go better with attribution. Like you’ve said a few times, proper noun who did these attacks. Merely in your book, you also unpacked the complexities of why we’re not naming because then we reveal how nosotros know that it was them.



David: This is a piece of thinking we demand to change. That nosotros desire to name everybody because you’re not going to create your deterrent issue. Y’all’re not going to create international alliances that sort of grade up against the Russians or the Chinese, the Iranians, the N Koreans, whoever the cyber actor is unless you’re willing to get out and attribute the attack.




David: At that place’s just one offender on this that’s worse than the U.S. government. I have to requite credit to the Trump administration. They’ve done a better task of getting out and naming countries that attacked. They named North korea on WanaCry, they named Russia on NotPetya. They’ve done a better job than the Obama administration did on that.




David: They’d been disorganized in the way they’ve idea almost cyber. I think they did well and did information technology early on. They actually dismantled a pretty good cyber team that they had at the starting time of the White House. That team did become this together. The grouping that’south worse is Corporate America.




The Only Effective Element




David: You guys see this all the fourth dimension I’1000 sure. The outset time there’s a big attack on a company, the outset affair the company thinks is how exercise I hide this from everybody? Because it will undercut confidence in the company.



Eric: And my stock cost.



David: The only effective element against this has been the Securities and Exchange Commission. It has required companies to disclose attacks that are big enough that they might actually be material. Only companies spend a lot of time figuring out how to hide information technology. If I was running the world, I would really require companies to reveal significant cyber attacks.




David: The penalty beingness that if they neglect to do and then, jail time for senior executives. That’s the only manner that yous would actually get a real agreement of the nature of the problem. If companies knew they had to reveal it, they would then spend the money to keep information technology from happening.



Eric: Y’all also have to prevent them. At that place has to be a regulatory component that prevents litigation likewise. That’s a big fear. Yous’ve got to open up things like admission to data. Can they let the government in a healthcare breach to have access to HIPAA data? Who can? There are so many components, but we tin can do this.



David: The government has admission to HIPAA data anyway. It’southward called Medicare. I hateful, we’ve got tons of access to the data that the U.S. government has anyway. I think there are means to practice information technology.



Eric: When you’re in the middle of this crisis equally a corporation, I’ve seen this. I’ve watched information technology from both the regime and the corporate side and the interfacing. At that place’s but this unknown and you’re in this time crunch.




Five Things David Sanger Recommends the Authorities to Admit




Eric: You’re working and you don’t know, tin can I bring in an SA? Can I bring in DHS? What’s the touch on of that? Then FBI comes in and who’south in charge? It gets very squirrely very apace. Then what practise you tell the board, and how much do nosotros disclose, and when do we disembalm?



David: Merely they’ve got to disclose. At that place are a lot of small attacks you don’t have to worry well-nigh each time. If there’s something that’s a significant breach, you’re not going to begin to get to the deterrent issue until it’s revealed. You’re not going to get companies to actually spend the money they need to spend on resilience. Not stopping the attack, but recovering from information technology.



Eric: What we’ve seen with Sony and Equifax and Starwood, they’ve all recovered. The share prices accept recovered. All of these companies have come back. It’due south a ding on the risk side. It definitely costs them money and some prestige, simply they come up dorsum.



Carolyn: David, there are and so many things I want to continue talking to y’all near like quantum computing.



Eric: Did we get through the list of five things that he recommends the government must acknowledge? We talked most attribution. David, you talked about rethinking the wisdom of reflexive security around our capabilities. Desire to amplify that a little bit?



David: The more that you lot explain your capability, the more you’re actually going to take some deterrent effect out of it.



Eric: You assail me. This is what I’1000 capable of doing back.



David: We did this in the nuclear world. Earlier I went to write this book, I reread a volume I had not read since college.




How Nuclear Weapons Inverse Our Way of Thinking About Strategy




David: College was a picayune while ago, and it was called Nuclear Weapons and Foreign Policy. Henry Kissinger wrote it. Information technology’southward the first popular book for the American public almost how nuclear weapons inverse the way nosotros had to think about strategy. Just every bit cyber changes the fashion we accept to think about information technology.



David: I went to see Kissinger just every bit I was getting, going on the writing. And I explained to him what I was doing. He looked at me and he said, “Oh, David, cyber is so much more complicated. Considering in the nuclear world, nosotros knew the small number of countries that had the capability. We knew the names of everybody who had launch authority. That’s all missing in cyber.”




Eric: The world needs to ready up norms of cyber behavior focused on principles. It’southward kind of how I summarized it.



David: This gets dorsum to what I was describing before. You demand to be able to have some principles near what you’re not willing to do during peacetime. And then what you’re willing to do in wartime, which might exist a different list. Get people to sign upwards to information technology the way we’ve signed up to arms control on nuclear weapons. Too the fashion we’ve agreed to ban nearly all use of landmines.



David: We don’t want them planted and kids to footstep on them a generation subsequently. The way we all agreed on biological weapons, the way we all agreed on chemical weapons. Have there been breaches? Absolutely. But by and large, those systems have worked. There’s no firsthand evidence that they wouldn’t work in the cyber realm if you go the attribution slice of information technology right.



Setting the Norms and More Forums Well-nigh Cyber Security




Eric: This is the tough ane for me. You lot just named a bunch of examples where it mostly works, merely it’southward not 100%. My mentality ever wants 100%.



David: Y’all’re not going to get 100%.



Eric: That’s what I have to get used to.



Carolyn: There are ever workarounds. Just like how Prc has come in and just bought shares in companies, so they get to see the tech first. That’s how they’ve worked around not being able to ain these companies.



Eric: From an espionage perspective, yes, and perchance even sabotage. Y’all’re absolutely correct, Carolyn. But the 1 affair as I thought nigh this and I thought about it the first time I read the book. I idea about it as I was preparing for this discussion.




Eric: At least if we get to number five, we set up norms, nosotros’re communicating. We have a forum. I thought more and more almost it. I don’t know of whatsoever actually good forums today where we’re discussing cybersecurity. Or cyber attacks with foreign nation-states other than to the press.



David: Nosotros’re doing it at the United nations ineffectively.



Eric: That’s probably the all-time I could come up with.



David: There are some well-meaning, but largely bookish run operations there. It’southward a group of experts that meet in that location. There are some other efforts done in the private sector to get it going. Simply it doesn’t have the energy behind it that nosotros had behind those other examples, nuclear, biological, chemical, and then forth.



Eric: Nor the constraints.




David Sanger Talks About the Upcoming Election




Carolyn: I would beloved to hear y’all talk virtually the upcoming election and the possibility of securing it, David.



David: Information technology’due south something we’re spending a lot of time on. Information technology will exist covered in that HBO md that I mentioned besides. Ane of the big changes in the ballot this year is that we’re thinking a lot more people are going to be casting ballots. Basically by what we used to call absentee ballots, but yous may not be absentee.




David: Information technology may but be that you don’t desire to take the virus hazard of standing in line in the school gymnasium or church building. Or some kind of authorities office and waiting to press your fingers on a polling car. The last 150 of your neighbors came in and pressed their fingers on information technology too. The practiced news nigh that is it will forcefulness us to more paper backup, which is great.



David: The bad news is, in one case you’re in the world of doing a paper ballot from home, a mail-in ballot, yous’re more dependent than always on the integrity of the registration system. Because it’due south that registration system that is used to send out ballots to your business firm. To make sure that information technology’s up to date and that you’re not sending it to somebody who used to live in that location.




David: That you lot recognize that 1 of yous may have changed states in the past four years and so forth. We’re worried about that registration organisation. In 2016, the Russians grabbed data out of Arizona and Illinois out of their systems. We and then thought that they were into 21 States. Go into the Intelligence Committees study on the 2016 election, they now believe the Russians were inside all 50 States’ registration systems.




A Perception Hack




David: That doesn’t mean that they messed with it. Nosotros accept no evidence that they messed with it. But it doesn’t take messing with all of the registration systems.




David: If I can get into a couple of key counties in a couple of swing states and mess with that. I will have conducted what’s chosen a perception hack. This means that you lot will presume that every other county has been messed with also even if it wasn’t.



Eric: So you lot question the credibility of the election and that gets to the root of it.



David: What are you hearing president Trump do already?



Eric: Questioning the credibility.



David: He’s already said, “This volition be the most rigged election ever.” Now, if there’s an overwhelming vote one way or the other, if Joe Biden wins in a blowout or if Donald Trump wins in a blowout, I don’t call back it’due south a particularly big upshot. If it’s a close election, and most of our recent elections take been close, it could be a huge issue.



David: What I say to that is this, nosotros’ve been worried virtually the election machines. I’m a little bit worried virtually the election machines. But the biggest protection we have on our election motorcar infrastructure is that it’s different in all l States. Hacking into that system would crave you lot to take a different hack in all 50 States.



David: Actually every county is unlike. Some cities are different. The fact that our system is so disparate, so backward, and so half analog, half digital, it’due south really a form of protection. The registration organisation worries me because that’s the outward-facing role. I can go on a public website. I can become in and try, if I was a skillful hacker, to practise a ransomware attack.



Why It’s Critical to Have Multiple Backups on the Registration System




David: Call up what happened in Atlanta, in Baltimore, in all those cities and towns in Texas last summer. There were ransomware attacks, criminal, not state we think by and large. They merely jammed up the system then you couldn’t get any data out of information technology. Yous couldn’t pay your taxes, y’all couldn’t go apply for a building allow, you couldn’t pay your parking fines.



Eric: They just shut them down.



David: They’ve shut them down and issued a ransom demand. That’s why it’s critical that every city, boondocks, country have multiple backups of their registration arrangement. Impress it out, analog version every bit well as a digital version. DHS has been working really difficult on solving that problem. But we don’t know how broad and constructive that has been. We probably won’t know until election day.



Eric: That goes back to your red line that you lot talked near. Some level somebody’s got to draw that.



David: Count the number of presidential speeches you’ve heard in the past four or eight years on that topic.



Eric: I bet in that location are dozens.



David: I come up with zero. Presidential speeches warning foreign states not to mess with our election system.



Eric: I’grand with you, on the ballot arrangement.



Carolyn: I’m going to get back to the hopeful note that our systems are and so primitive and out of date that we’ve got some protection there.



David: Let’s hope then.



Carolyn: Thank you so much for joining us, David. This has been just a fascinating chat.



David: This is peachy guys. I’ve enjoyed information technology. I will happily come dorsum when we have our documentary out. We’re a picayune closer to the election. We can pick it up then.



About Our Invitee





David Sanger
is a national security correspondent and a senior writer. In a 38-year reporting career for The New York Times, he has been on iii teams that take won Pulitzer Prizes. Most recently in 2017 for international reporting.




His latest book, shortly to be an HBO documentary:
The Perfect Weapon: State of war, Sabotage and Fear in the Cyber Historic period, examines the emergence of cyber conflict equally the primary mode large and small states are competing and undercutting each other. Changing the nature of global power.




For NYT, Sanger has served every bit Tokyo agency chief, Washington economic contributor. White House correspondent during the Clinton and Bush-league administrations, and chief Washington correspondent.

Source: https://www.forcepoint.com/resources/podcasts/war-sabotage-and-fear-cyber-age-new-york-times-reporter-david-sanger-part-2-ep-88

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …