David Sanger's very interesting recent book, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, is a timely read this month, following the indictments of twelve Russian intelligence officers for hacking the DNC in 2015. Sanger is a national security writer for the New York Times, and has covered cyber security issues for a number of years. He and William Broad and John Markoff were among the first journalists to piece together the story behind the Stuxnet attack on Iran's nuclear fuel program (the secret program called Olympic Games), and the book also offers some intriguing hints about the possibility of "left of launch" intrusions by US agencies into the North Korean missile program. This is a book that everyone should read. It greatly broadens the scope of what most of us think about under the category of "hacking". We tend to think of invasions of privacy and identity theft when we think of nefarious uses of the internet; but Sanger makes it clear that the stakes are much greater. The capabilities of current cyber-warfare tools have the possibility of bringing down whole national infrastructures, leading to massive civilian hardship.
There are several important takeaways from Sanger's book. One is the pervasiveness and power of the offensive cyber tools available to nation-state actors in penetrating and potentially disrupting or destroying the infrastructures of their potential opponents. Russia, China, North Korea, Iran, and the United States are all shown to possess tools of intrusion, data extraction, and system destruction that are extremely difficult for targeted countries and systems to defend against. The Sony attack (North Korea), the Office of Personnel Management (China), the attack on the Ukraine electric grid (Russia), the attack on Saudi Arabia's massive oil company Aramco (Iran), and the attack on the US electoral system (Russia) all proceeded with massive effect and without evident response from their victims or the United States. At this moment in time the balance of capability appears to favor the offense rather than the defense. A second important theme is the extreme level of secrecy that the US intelligence establishment has imposed on the capabilities it possesses for conducting cyber conflict. Sanger makes it clear that he believes that a greater level of public understanding of the capabilities and risks created by cyber weapons like Stuxnet would be beneficial in the United States and other countries, by permitting a more serious public debate about means and ends, risks and rewards of the use of cyber weapons. He likens it to the evolution of the Obama administration's eventual willingness to make a public case for the use of unmanned drone strikes against its enemies.
Third, Sanger makes it clear that the classic logic of deterrence that was successful in maintaining nuclear peace is less potent when it comes to cyber warfare and escalation. State-level adversaries have selected strategies of cyber attack precisely because of the relatively low cost of developing this technology, the relative anonymity of an attack once it occurs, and the difficulties faced by victims in selecting appropriate and effective counter-strikes that would deter the attacker in the future.
The National Security Agency gets a lot of attention in the book. The Office of Tailored Access Operations gets extensive discussion, based on revelations from the Snowden materials and other sources. Sanger makes it clear that the NSA had developed a substantial toolkit for intercepting communications and penetrating computer systems to capture data files of security interest. But according to Sanger it has also developed strong cyber tools for offensive use against potential adversaries. Part of the evidence for this judgment comes from the Snowden revelations (which are also discussed extensively). Part comes from what Sanger and others were able to discover about the workings of Stuxnet in targeting Iranian nuclear centrifuges over a many-month period. And part comes from suggestive reporting about the odd fact that North Korea's medium range missile tests were so spectacularly unsuccessful for a series of launches.
The book leads to worrisome conclusions and questions. US infrastructure and counter-cyber programs were highly vulnerable to attacks that have already taken place in our country. The extraction by Chinese military intelligence of millions of confidential personal records of US citizens from the Office of Personnel Management took place over months and was uncovered only after the damage was done. The effectiveness of Russian attacks on the Ukraine electric power grid suggest that similar attacks would be possible in other advanced countries, including the United States. All of these incidents suggest a level of vulnerability and potential for devastating attack that the public is not prepared for.