I was attending a cybersecurity conference outside San Francisco several months ago when an alarming bulletin crawled across the bottom of a television screen: “White House cybersecurity czar Tom Bossert to step down.” The room let out a collective gasp. Bossert was generally viewed as one of the few people at the White House who understood computers, computer networks, and information technology—and how it was reshaping the way we think about warfare and conflict.
Bossert had been a deputy homeland security adviser to President George W. Bush and spent two years overseeing critical US infrastructure security. This put him on the front lines as hackers quietly probed American and European nuclear power plants and water and electric systems. When President Trump named him assistant to the president for homeland security and counterterrorism in late 2016, experts were somewhat relieved. Bossert, they hoped, would be a countervailing force in a White House in which the president had famously suggested that meddling in the 2016 election could have been done by Russia, China, or “a 400 pound genius sitting in bed and playing with his computer.”
Late last year, in what appeared to be a change in strategy, the administration publicly announced that North Korea was behind the widespread “WannaCry” attack, in which ransomware rendered hundreds of thousands of computers—including those in the UK’s National Health Service—useless. “Cybersecurity isn’t easy, but simple principles still apply,” Bossert wrote in a Wall Street Journal editorial officially putting Pyongyang on notice.
Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the US today publicly attributes the massive “WannaCry” cyberattack to North Korea.
This past spring, the Department of Homeland Security went further and released screenshots that showed Russian state hackers installing malware on American power plant computers, which would have allowed them not only to seize control of the facilities but potentially sabotage them as well. That was the first time the administration called out Moscow so publicly. After years of obfuscation about what Russian hackers were up to, Bossert and the administration’s cybersecurity officials seemed to be signaling they would be more open about the threat. (More open, but not transparent; details of Russia’s election hack were allowed to remain ambiguous.)
A week after Bossert announced his resignation, there was more personnel news: President Trump’s cybersecurity coordinator, Rob Joyce, said he’d be leaving too. Joyce, a well-respected expert who used to run the Office of Tailored Access Operations, the NSA’s cyber-warfare and intelligence-gathering unit, said he would be returning to his old agency. Soon after, President Trump signed an executive order eliminating the cybersecurity coordinator position. Cybersecurity was clearly a diminishing priority at the National Security Council. (According to Bob Woodward’s new book, Fear: Trump in the White House, the president worried that international hacking efforts would end up pushing him into a military confrontation. Woodward reports that Bossert once tried to engage the president in a conversation about cybersecurity and was rebuffed. The president wanted to watch golf instead: “I want to watch the Masters…. You and your cyber war…are going to get me in a war—with all your cyber shit.”)
A decade ago there were just a handful of nations with effective cyber warfare; now there are more than thirty. The sheer number of countries pursuing these kinds of weapons shows that a new form of conflict has arrived; the concern is that new rules or norms for it have not. As a result, we’ve seen adversaries strike with impunity, calculating that their digital roguery won’t justify a military response. North Korea suspected it could hack into Sony Pictures in 2014 and not pay a price for it. President Obama said the attack would not go unpunished, but how the US responded is unclear and officials have hinted that some action may have been taken covertly. Just last week, the Justice Department unsealed an indictment that actually named one of the people they believe was behind the 2014 attack—Park Jin-hyok, a North Korean spy—and charged him with computer and wire fraud. (While he’s unlikely to ever see the inside of an American courtroom, the US hopes by exposing him it will hobble his ability to launch further attacks.)
When China vacuumed up the personal information of some 21 million Americans from the Office of Personnel Management—including documents used for the background investigations of current, former, and prospective federal employees—the director of national intelligence at the time, James Clapper, seemed to tip his hat to their ingenuity. “You have to kind of salute the Chinese for what they did,” he told an audience at the Aspen Security Conference. Three years later, it is clear that Washington is still struggling with how best to respond to big, blatant digital attacks and, more recently, the manipulation of social media.
The United States has been putting “back doors” on computers for years, using malware and sophisticated cyber-spying techniques. But offensive hacking is different. It can silently and invisibly shut down financial systems, sabotage critical infrastructure, and scramble enemy communications. Offensive cyber operations have the potential to dissolve the distinction between the physical world and the virtual one, and they challenge all our legal and international frameworks partly because they are largely invisible—they do their damage without the flash and bang of traditional weaponry.
Malicious code can sit in a computer network for months, quietly searching for security vulnerabilities without triggering any response. When the discount retailer Target was hacked in December 2013, the culprits stole personal and credit information from as many as 40 million shoppers. The hackers didn’t force their way into Target directly; instead they found a software vulnerability in an outside company that provided Target’s heating, ventilation, and air conditioning systems. Once they had broken into that network, the hackers were able to access Target’s customer information and the cash registers in its stores.
If cybersecurity was just about criminals after money, it would be easier to manage. But cyber attacks have evolved in sophistication. Some use code to corrupt data—imagine if you could just add a digit to a series of electronic bank transfers or change an adversary’s medical record so the blood type reads A instead of O. Others wreak havoc on operating systems. In 2007, the Idaho National Laboratory conducted something called the Aurora Generator Test, which used a software program to seize control of a diesel generator’s circuit breakers. Computer code began sending directions to the circuit breakers, telling them to open and close in quick succession, which eventually caused the generator to explode.
Finding the right response to this expanding repertoire of cyber attacks has confounded policymakers. Two new books focus on different aspects of this conflict, and they both suggest that the very nature of global power has been transformed by an expanding array of criminals, hacktavists, and foreign governments who have found that computer code can be the ultimate leveler among nations.
In his thoughtful new book, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, the New York Times correspondent David Sanger draws back the curtain on what he calls the “‘Seven Sisters’ of cyber conflict—the United States, Russia, China, Britain, Iran, Israel, and North Korea.” He contends that they are the world’s most active cyber powers although, he writes, cyber warfare is now a component in all modern military planning. He compares it to air forces after 1918. Airplanes started out as a revolutionary means of transportation until someone thought of adding a machine gun to them. Almost overnight, this revolutionized war. Cyber conflict, Sanger makes clear, is on track to do the same. In an era of asymmetric warfare, adversaries can hobble multibillion-dollar weapons systems with computer code, and no one is quite sure how to stop it.
The potential for escalation has already arrived. Sanger writes about a startling recommendation that Defense Secretary James Mattis made in the early months of the Trump administration. He told the president that the US should publicly declare that any attacks on its critical infrastructure, even a nonnuclear attack, would be met with a nuclear response. Trump apparently accepted Mattis’s aggressive recommendation without hesitation. A few months later, Sanger notes, the administration published a new strategy in which it redefined the parameters of battle: America would now launch constant, low-grade cyber attacks against foreign servers before threats against the US could even materialize; it was the digital equivalent of a preemption doctrine.
Iran is one of the reasons such preemption has become standard. Sanger writes that one senior intelligence official told him that, typically, when you think of the hierarchy of weapons systems, you think of nuclear weapons on top, then bioweapons, chemical weapons, and conventional firearms. Iran is different, the official said; it has put cyber weapons on top, which has allowed it to compete with the US in a way it never could in the past.
Cyber warfare allows adversaries to be extraordinarily disruptive with minimal consequences. In 2012, Saudi Aramco, the Saudis’ state-owned oil company, was the victim of an inside attack. Someone with privileged access to its network unleashed a computer virus that erased the hard drives of some 40,000 of the company’s computers and servers. The Saudis ended up having to scrap their infected computers and buy 50,000 hard drives, temporarily cornering the world’s supply. It took five months to undo the damage. US intelligence officials contend that Iran was behind the attack.
China’s hackers are no less aggressive, though differently directed—they are looking for government secrets and intellectual property. They are part of something called Unit 61398, which is housed in a nondescript building in Shanghai. As Sanger writes, a former air force intelligence officer named Kevin Mandia led a private investigation into Chinese intrusions into US government networks and private companies. Mandia tracked attacks on 141 different companies across a number of industries. Rather than go the traditional route of tracing the hackers’ IP addresses, Mandia had a better idea: he activated the cameras on their laptops and watched them as they broke into American servers. He even tracked their keystrokes. Mandia ended up giving the story to Sanger and his colleagues at The New York Times.
One US attorney in Pittsburgh, David Hickton, helped shape the debate on how to treat this particular hack by characterizing it as a criminal act. He and the Justice Department charged five Chinese military officers (working under pseudonyms like UglyGorilla and KandyGoo) of electronic theft of information from local Pittsburgh companies, including US Steel and Westinghouse Electric. The Justice Department even distributed wanted posters that featured the images Mandia had captured from their laptop cameras. The hackers were all in uniform. “This naming and shaming was unprecedented,” Hickton told me at the time. “The only way to stop this kind of behavior is to call them out.”
While the Chinese military hackers were never tried, the naming and shaming had an effect. In 2015, Chinese President Xi Jinping and President Obama agreed to work together to investigate cyber crimes and vowed not to knowingly support hacking-related theft of intellectual property. While that seemed to be a step in the right direction, the Trump Treasury Department has said that China has not lived up to the agreement.
In the RAND Corporation’s report Cyberdeterrence and Cyberwar (2009), Martin Libicki explains why cyber deterrence is so hard. As he sees it, attribution isn’t the problem—linking actions to perpetrators may take time, but it isn’t impossible. The real dilemma for deterrence is that cyber weapons are situational. While the one thousandth bomb is as powerful as the first, repeated use diminishes a cyber weapon. Code can be rendered useless with a simple patch. Nuclear weapons are meant to overwhelm the enemy—the doctrine of mutually assured destruction worked because it ensured that no one reached for the nuclear option, since both sides understood they wouldn’t survive. Cyber attacks are more complicated and can run the gamut from irritating (North Korea’s hack of Sony) to genuinely destructive (the Stuxnet worm that destroyed centrifuges in an Iranian nuclear facility). Had the Russians sent suicide bombers to polling stations during the 2016 elections, the US response would have been unambiguous. Their cyber offensive left policymakers with no clear precedent for a remedy or response.
Sanger argues that the rush to compare cyber war with nuclear war has prevented us from understanding how it fits into a broader geopolitical framework. How does one counter a cyber attack without potentially destructive escalation? All the options seem to lead to escalation: American cyber warriors could take down Russian financial institutions, release details of Putin’s ties to oligarchs, make overseas bank accounts disappear—the problem, Sanger writes, is that no one is quite sure where it ends. There is no model for escalation.
The best cyber attacks are ones that are hard to attribute. Hacking is one of the first strategic weapons created by the intelligence community (rather than by the military), so one could argue that the need for secrecy is built in. Transparency is anathema to intelligence agencies, so there is an underlying sense that any discussion of offensive cyber weapons would impede their use—a digital way of being able to neither confirm nor deny, ending any discussion before it even starts. If that sounds familiar, it should: this is what happened before there was a national conversation about drones as well.
David Cole made a strong case that ultimately it was not the Obama administration’s drone policy that became the problem, it was the secrecy that surrounded it.* When a classified memo written in 2010 laying out the rationale for killing Anwar al-Awlaki, an American-born radical imam working with al-Qaeda’s arm in Yemen, was finally released in accordance with a FOIA request, the big question was why the Obama administration fought so hard to keep it secret, since the memo was largely exculpatory.
Similarly, Sanger maintains that the secrecy surrounding America’s offensive and defensive cyber capabilities is standing in the way of our having a proper strategic debate about the future of digital weapons. Secrecy is hobbling policy. “For our response to deter attackers, it needs to be very public—as public as an American airstrike on a chemical-weapons plant in Syria, or an Israeli strike on a nuclear reactor,” he writes, adding that admitting to offensive cyber attacks will also change the discussion about them. Consider Stuxnet, the operation he reported on in the Times in 2010:
What if they had admitted to it, the way Israel acknowledges, implicitly or explicitly, that it has bombed reactors in Iraq and Syria? We might well have established one of those red lines: if you produce nuclear fuel in violation of UN mandates, expect that something bad could happen to your centrifuges—maybe from the air, maybe from cyberspace.
Sanger’s point is that there need to be parameters, an understanding of what is off-limits. He suggests that companies, not countries, lay out a consensus on principles that will protect civilians in a kind of “Digital Geneva Convention” to get the conversation started. Big tech companies, including Microsoft, Facebook, and dozens of others have embraced the idea. Notably absent from the list of supporters are Google, Apple, and Amazon.
Another attempt to establish a framework for the discussion about cybersecurity can be found in The Virtual Weapon and International Order, Lucas Kello’s book about cyberspace, stability, and the world’s balance of power. He does not provide a history of cyber warfare or even a narrative about the ever-growing number of attacks; instead, he discusses hacking against the background of political theory and international relations. He makes clear how difficult it has become to find the right model to address the largely invisible world of digital warfare.
Kello, the director of the Centre for Technology and Global Affairs at Oxford University, uses Russian, Iranian, and Chinese cyber attacks to suggest that they don’t just represent a change in tactics, they are the beginnings of a revolution. He contends that cyber conflict challenges the rational and moral order of the world as we know it; and worryingly, because cyber weapons are growing so fast, innovation is outpacing doctrines that might limit their risks.
Kello has four core arguments. The first is that cyber conflict among states and nonstates leaves us in an uneasy position, something he calls “unpeace”—a “mid-spectrum rivalry lying below the physically destructive threshold of interstate violence, but whose harmful effects far surpass the tolerable level of peacetime competition.” Imagine the shuddering effects of silenced cell phone networks, traffic lights going dark, or credit cards rendered useless. While it is short of war, it is destabilizing all the same. Second, Kello contends, because of the imperfect ability to attribute attacks, traditional tools of deterrence don’t work. Third, scholars and policymakers view hacking from dramatically different perspectives. And finally, we have yet to understand how it is rewriting the rules of conflict.
The most engaging part of the book comes when Kello calls for a “Congress of Disciplines,” a gathering of technologists, analysts, political scientists, lawyers, and philosophers to do for cyber warfare what the “Wizards of Armageddon” did in the 1950s and 1960s to set the stage for arms control in the nuclear age. The problem is that members of Kello’s congress will have a different challenge than that of the Wizards who preceded them. Countries that developed nuclear weapons were likely to be a finite group because there were major barriers to joining the nuclear club: you needed money, infrastructure, and specialized knowledge. Cyber weapons are more democratic: becoming a cyber power requires the same skills as an entrepreneur—imagination, determination, and a laptop.
“The cyber age presents an irony,” Kello writes:
It awards technological virtuosity with peril. Every advantage borne of the new technology also invites its dangers. Online banking enables cybercrime; digital communications bring forth surveillance; computerized industrial systems allow infrastructural damage; and so on.
In his view, this is the dilemma of our time. “Those nations that are most adept at harnessing cyberspace to achieve economic, social, even military gains are also the ones most vulnerable to threats propagating through it.”
Indeed, the multifaceted nature of the problem has proven to be a cross-domain nightmare for policymakers. While activists and journalists have been warning for years about social media’s erosion of our basic privacy, who could have predicted that our “likes” on Facebook could be transformed into election insights? Big Data, artificial intelligence, and machine learning are even transforming how we think about thinking and the way knowledge evolves.
And all this is unfolding, Sanger notes, without a conversation or a grand strategic debate about cyber conflict itself. One would have thought that Stuxnet would have pushed policymakers further in that direction. Instead, they remain flummoxed, unable to respond to a situation in which both sides are exploiting vulnerabilities in computer networks at such a pace that escalation seems inevitable. Sanger’s message in The Perfect Weapon is that in the next few years, when these cyber weapons are combined with artificial intelligence, calculations may go awry, mistakes will be made, and these stealthy cyber conflicts will disastrously escalate to affect physical infrastructure before people have the time, or the sense, to step in.
While the White House seems to be shirking its responsibility in this debate, the Pentagon is beginning to step into the breach. In late June Defense Department officials told the House Armed Services Committee that they had a plan to shore up the Pentagon’s policies regarding contractors and the cybersecurity they practice with an initiative called “Deliver Uncompromised.” The plan is to add a fourth pillar to the acquisitions process: in addition to laying out the cost, schedule, and performance of their programs, contractors would have to provide details about their cybersecurity protections as well.
News of the plan came just weeks after The Washington Post reported that the Chinese government had successfully compromised the computers of a navy contractor and had snatched highly sensitive information about US submarines, including plans to develop supersonic anti-ship missiles that could be deployed on subs as early as 2020. Defense Department officials briefed lawmakers on the details of that hack in a closed, classified session.
—September 12, 2018