Dina Tem­ple-Raston

The New York Review of Books - - Contents - by Lu­cas Kello

The Per­fect Weapon: War, Sab­o­tage, and Fear in the Cy­ber Age by David E. Sanger The Vir­tual Weapon and In­ter­na­tional Order

The Per­fect Weapon: War, Sab­o­tage, and Fear in the Cy­ber Age by David E. Sanger. Crown, 357 pp., $28.00

The Vir­tual Weapon and In­ter­na­tional Order by Lu­cas Kello.

Yale Uni­ver­sity Press, 319 pp., $35.00

I was at­tend­ing a cy­ber­se­cu­rity con­fer­ence out­side San Fran­cisco sev­eral months ago when an alarm­ing bul­letin crawled across the bot­tom of a tele­vi­sion screen: “White House cy­ber­se­cu­rity czar Tom Bossert to step down.” The room let out a col­lec­tive gasp. Bossert was gen­er­ally viewed as one of the few peo­ple at the White House who un­der­stood com­put­ers, com­puter net­works, and in­for­ma­tion tech­nol­ogy— and how it was re­shap­ing the way we think about war­fare and con­flict. Bossert had been a deputy home­land se­cu­rity ad­viser to Pres­i­dent Ge­orge W. Bush and spent two years over­see­ing crit­i­cal US in­fra­struc­ture se­cu­rity. This put him on the front lines as hack­ers qui­etly probed Amer­i­can and Eu­ro­pean nu­clear power plants and wa­ter and elec­tric sys­tems. When Pres­i­dent Trump named him as­sis­tant to the pres­i­dent for home­land se­cu­rity and coun­terter­ror­ism in late 2016, ex­perts were some­what re­lieved. Bossert, they hoped, would be a coun­ter­vail­ing force in a White House in which the pres­i­dent had fa­mously sug­gested that med­dling in the 2016 elec­tion could have been done by Rus­sia, China, or “a 400 pound ge­nius sit­ting in bed and play­ing with his com­puter.” Late last year, in what ap­peared to be a change in strat­egy, the ad­min­is­tra­tion pub­licly an­nounced that North Korea was be­hind the wide­spread “Wan­naCry” at­tack, in which ran­somware ren­dered hun­dreds of thou­sands of com­put­ers—in­clud­ing those in the UK’s Na­tional Health Ser­vice—use­less. “Cy­ber­se­cu­rity isn’t easy, but sim­ple prin­ci­ples still ap­ply,” Bossert wrote in a Wall Street Jour­nal ed­i­to­rial of­fi­cially putting Py­ongyang on no­tice.

Ac­count­abil­ity is one, co­op­er­a­tion an­other. They are the cor­ner­stones of se­cu­rity and re­silience in any so­ci­ety. In fur­ther­ance of both, and af­ter care­ful in­ves­ti­ga­tion, the US to­day pub­licly at­tributes the mas­sive “Wan­naCry” cy­ber­at­tack to North Korea.

This past spring, the De­part­ment of Home­land Se­cu­rity went fur­ther and re­leased screen­shots that showed Rus­sian state hack­ers in­stalling mal­ware on Amer­i­can power plant com­put­ers, which would have al­lowed them not only to seize con­trol of the fa­cil­i­ties but po­ten­tially sab­o­tage them as well. That was the first time the ad­min­is­tra­tion called out Moscow so pub­licly. Af­ter years of ob­fus­ca­tion about what Rus­sian hack­ers were up to, Bossert and the ad­min­is­tra­tion’s cy­ber­se­cu­rity of­fi­cials seemed to be sig­nal­ing they would be more open about the threat. (More open, but not trans­par­ent; de­tails of Rus­sia’s elec­tion hack were al­lowed to re­main am­bigu­ous.) A week af­ter Bossert an­nounced his res­ig­na­tion, there was more per­son­nel news: Pres­i­dent Trump’s cy­ber­se­cu­rity co­or­di­na­tor, Rob Joyce, said he’d be leav­ing too. Joyce, a well-re­spected ex­pert who used to run the Of­fice of Tai­lored Ac­cess Op­er­a­tions, the NSA’s cy­ber-war­fare and in­tel­li­gence­gath­er­ing unit, said he would be re­turn­ing to his old agency. Soon af­ter, Pres­i­dent Trump signed an ex­ec­u­tive order elim­i­nat­ing the cy­ber­se­cu­rity co­or­di­na­tor po­si­tion. Cy­ber­se­cu­rity was clearly a di­min­ish­ing pri­or­ity at the Na­tional Se­cu­rity Coun­cil. (Ac­cord­ing to Bob Wood­ward’s new book, Fear: Trump in the White House, the pres­i­dent wor­ried that in­ter­na­tional hack­ing ef­forts would end up push­ing him into a mil­i­tary con­fronta­tion. Wood­ward re­ports that Bossert once tried to en­gage the pres­i­dent in a con­ver­sa­tion about cy­ber­se­cu­rity and was re­buffed. The pres­i­dent wanted to watch golf in­stead: “I want to watch the Masters . . . . You and your cy­ber war . . . are go­ing to get me in a war—with all your cy­ber shit.”)

A decade ago there were just a hand­ful of na­tions with ef­fec­tive cy­ber war­fare; now there are more than thirty. The sheer num­ber of coun­tries pur­su­ing these kinds of weapons shows that a new form of con­flict has ar­rived; the con­cern is that new rules or norms for it have not. As a re­sult, we’ve seen ad­ver­saries strike with im­punity, cal­cu­lat­ing that their dig­i­tal roguery won’t jus­tify a mil­i­tary re­sponse. North Korea sus­pected it could hack into Sony Pic­tures in 2014 and not pay a price for it. Pres­i­dent Obama said the at­tack would not go un­pun­ished, but how the US re­sponded is un­clear and of­fi­cials have hinted that some ac­tion may have been taken covertly. Just last week, the Jus­tice De­part­ment un­sealed an in­dict­ment that ac­tu­ally named one of the peo­ple they be­lieve was be­hind the 2014 at­tack—Park Jin-hyok, a North Korean spy—and charged him with com­puter and wire fraud. (While he’s un­likely to ever see the in­side of an Amer­i­can court­room, the US hopes by ex­pos­ing him it will hob­ble his abil­ity to launch fur­ther at­tacks.)

When China vac­u­umed up the per­sonal in­for­ma­tion of some 21 mil­lion Amer­i­cans from the Of­fice of Per­son­nel Man­age­ment—in­clud­ing doc­u­ments used for the back­ground in­ves­ti­ga­tions of cur­rent, for­mer, and prospec­tive fed­eral em­ploy­ees—the di­rec­tor of na­tional in­tel­li­gence at the time, James Clap­per, seemed to tip his hat to their in­ge­nu­ity. “You have to kind of salute the Chi­nese for what they did,” he told an au­di­ence at the As­pen Se­cu­rity Con­fer­ence. Three years later, it is clear that Wash­ing­ton is still strug­gling with how best to re­spond to big, bla­tant dig­i­tal at­tacks and, more re­cently, the ma­nip­u­la­tion of so­cial me­dia.

The United States has been putting “back doors” on com­put­ers for years, us­ing mal­ware and so­phis­ti­cated cy­ber-spy­ing tech­niques. But of­fen­sive hack­ing is dif­fer­ent. It can si­lently and in­vis­i­bly shut down fi­nan­cial sys­tems, sab­o­tage crit­i­cal in­fra­struc­ture, and scram­ble en­emy com­mu­ni­ca­tions. Of­fen­sive cy­ber op­er­a­tions have the po­ten­tial to dis­solve the dis­tinc­tion be­tween the phys­i­cal world and the vir­tual one, and they chal­lenge all our le­gal and in­ter­na­tional frame­works partly be­cause they are largely in­vis­i­ble—they do their dam­age with­out the flash and bang of tra­di­tional weaponry. Ma­li­cious code can sit in a com­puter net­work for months, qui­etly search­ing for se­cu­rity vul­ner­a­bil­i­ties with­out trig­ger­ing any re­sponse. When the dis­count re­tailer Tar­get was hacked in De­cem­ber 2013, the cul­prits stole per­sonal and credit in­for­ma­tion from as many as 40 mil­lion shop­pers. The hack­ers didn’t force their way into Tar­get di­rectly; in­stead they found a soft­ware vul­ner­a­bil­ity in an out­side com­pany that pro­vided Tar­get’s heat­ing, ven­ti­la­tion, and air con­di­tion­ing sys­tems. Once they had bro­ken into that net­work, the hack­ers were able to ac­cess Tar­get’s cus­tomer in­for­ma­tion and the cash reg­is­ters in its stores.

If cy­ber­se­cu­rity was just about crim­i­nals af­ter money, it would be eas­ier to man­age. But cy­ber at­tacks have evolved in so­phis­ti­ca­tion. Some use code to cor­rupt data—imag­ine if you could just add a digit to a series of elec­tronic bank trans­fers or change an ad­ver­sary’s med­i­cal record so the blood type reads A in­stead of O. Oth­ers wreak havoc on op­er­at­ing sys­tems. In 2007, the Idaho Na­tional Lab­o­ra­tory con­ducted some­thing called the Aurora Gen­er­a­tor Test, which used a soft­ware pro­gram to seize con­trol of a diesel gen­er­a­tor’s cir­cuit break­ers. Com­puter code be­gan send­ing direc­tions to the cir­cuit break­ers, telling them to open and close in quick suc­ces­sion, which even­tu­ally caused the gen­er­a­tor to ex­plode. Find­ing the right re­sponse to this ex­pand­ing reper­toire of cy­ber at­tacks has con­founded pol­i­cy­mak­ers. Two new books fo­cus on dif­fer­ent as­pects of this con­flict, and they both sug­gest that the very na­ture of global power has been trans­formed by an ex­pand­ing ar­ray of crim­i­nals, hack­tavists, and for­eign gov­ern­ments who have found that com­puter code can be the ul­ti­mate lev­eler among na­tions.

In his thought­ful new book, The Per­fect Weapon: War, Sab­o­tage, and Fear in the Cy­ber Age, the New York Times cor­re­spon­dent David Sanger draws back the cur­tain on what he calls the “‘Seven Sis­ters’ of cy­ber con­flict—the United States, Rus­sia, China, Bri­tain, Iran, Is­rael, and North Korea.” He con­tends that they are the world’s most ac­tive cy­ber pow­ers although, he writes, cy­ber war­fare is now a com­po­nent in all mod­ern mil­i­tary plan­ning. He com­pares it to air forces af­ter 1918. Air­planes started out as a revo­lu­tion­ary means of trans­porta­tion un­til some­one thought of adding a ma­chine gun to them. Al­most overnight, this rev­o­lu­tion­ized war. Cy­ber con­flict, Sanger makes clear, is on track to do the same. In an era of asym­met­ric war­fare, ad­ver­saries can hob­ble multi­bil­lion-dol­lar weapons sys­tems with com­puter code, and no one is quite sure how to stop it. The po­ten­tial for es­ca­la­tion has al­ready ar­rived. Sanger writes about a star­tling rec­om­men­da­tion that De­fense Sec­re­tary James Mat­tis made in the early months of the Trump ad­min­is­tra­tion. He told the pres­i­dent that the US should pub­licly de­clare that any at­tacks on its crit­i­cal in­fra­struc­ture, even a non­nu­clear at­tack, would be met with a nu­clear re­sponse. Trump ap­par­ently ac­cepted Mat­tis’s ag­gres­sive rec­om­men­da­tion with­out hes­i­ta­tion. A few months later, Sanger notes, the ad­min­is­tra­tion pub­lished a new strat­egy in which it re­de­fined the pa­ram­e­ters of bat­tle: Amer­ica would now launch con­stant, low-grade cy­ber at­tacks against for­eign servers be­fore threats against the US could even ma­te­ri­al­ize; it was the dig­i­tal equiv­a­lent of a pre­emp­tion doc­trine. Iran is one of the rea­sons such pre­emp­tion has be­come stan­dard. Sanger writes that one se­nior in­tel­li­gence of­fi­cial told him that, typ­i­cally, when you think of the hi­er­ar­chy of weapons sys­tems, you think of nu­clear weapons on top, then bioweapons, chem­i­cal weapons, and con­ven­tional firearms. Iran is dif­fer­ent, the of­fi­cial said; it has put

cy­ber weapons on top, which has al­lowed it to com­pete with the US in a way it never could in the past.

Cy­ber war­fare al­lows ad­ver­saries to be ex­traor­di­nar­ily dis­rup­tive with min­i­mal con­se­quences. In 2012, Saudi Aramco, the Saudis’ state-owned oil com­pany, was the vic­tim of an in­side at­tack. Some­one with priv­i­leged ac­cess to its net­work un­leashed a com­puter virus that erased the hard drives of some 40,000 of the com­pany’s com­put­ers and servers. The Saudis ended up hav­ing to scrap their in­fected com­put­ers and buy 50,000 hard drives, tem­po­rar­ily cor­ner­ing the world’s sup­ply. It took five months to undo the dam­age. US in­tel­li­gence of­fi­cials con­tend that Iran was be­hind the at­tack.

China’s hack­ers are no less ag­gres­sive, though dif­fer­ently di­rected—they are look­ing for govern­ment se­crets and in­tel­lec­tual prop­erty. They are part of some­thing called Unit 61398, which is housed in a non­de­script build­ing in Shang­hai. As Sanger writes, a for­mer air force in­tel­li­gence of­fi­cer named Kevin Man­dia led a pri­vate in­ves­ti­ga­tion into Chi­nese in­tru­sions into US govern­ment net­works and pri­vate com­pa­nies. Man­dia tracked at­tacks on 141 dif­fer­ent com­pa­nies across a num­ber of in­dus­tries. Rather than go the tra­di­tional route of trac­ing the hack­ers’ IP ad­dresses, Man­dia had a bet­ter idea: he ac­ti­vated the cam­eras on their lap­tops and watched them as they broke into Amer­i­can servers. He even tracked their key­strokes. Man­dia ended up giv­ing the story to Sanger and his col­leagues at The New York Times.

One US at­tor­ney in Pittsburgh, David Hick­ton, helped shape the de­bate on how to treat this par­tic­u­lar hack by char­ac­ter­iz­ing it as a crim­i­nal act. He and the Jus­tice De­part­ment charged five Chi­nese mil­i­tary of­fi­cers (work­ing un­der pseu­do­nyms like Ug­lyGo­rilla and KandyGoo) of elec­tronic theft of in­for­ma­tion from lo­cal Pittsburgh com­pa­nies, in­clud­ing US Steel and West­ing­house Elec­tric. The Jus­tice De­part­ment even dis­trib­uted wanted posters that fea­tured the im­ages Man­dia had cap­tured from their lap­top cam­eras. The hack­ers were all in uni­form. “This nam­ing and sham­ing was un­prece­dented,” Hick­ton told me at the time. “The only way to stop this kind of be­hav­ior is to call them out.”

While the Chi­nese mil­i­tary hack­ers were never tried, the nam­ing and sham­ing had an ef­fect. In 2015, Chi­nese Pres­i­dent Xi Jin­ping and Pres­i­dent Obama agreed to work to­gether to in­ves­ti­gate cy­ber crimes and vowed not to know­ingly sup­port hack­ing-re­lated theft of in­tel­lec­tual prop­erty. While that seemed to be a step in the right di­rec­tion, the Trump Trea­sury De­part­ment has said that China has not lived up to the agree­ment.

In the RAND Cor­po­ra­tion’s re­port Cy­berde­ter­rence and Cy­ber­war (2009), Martin Libicki ex­plains why cy­ber de­ter­rence is so hard. As he sees it, at­tri­bu­tion isn’t the prob­lem—link­ing ac­tions to per­pe­tra­tors may take time, but it isn’t im­pos­si­ble. The real dilemma for de­ter­rence is that cy­ber weapons are sit­u­a­tional. While the one thou­sandth bomb is as pow­er­ful as the first, re­peated use di­min­ishes a cy­ber weapon. Code can be ren­dered use­less with a sim­ple patch. Nu­clear weapons are meant to over­whelm the en­emy— the doc­trine of mu­tu­ally as­sured de­struc­tion worked be­cause it en­sured that no one reached for the nu­clear op­tion, since both sides un­der­stood they wouldn’t sur­vive. Cy­ber at­tacks are more com­pli­cated and can run the gamut from ir­ri­tat­ing (North Korea’s hack of Sony) to gen­uinely de­struc­tive (the Stuxnet worm that de­stroyed cen­trifuges in an Ira­nian nu­clear fa­cil­ity). Had the Rus­sians sent sui­cide bombers to polling sta­tions dur­ing the 2016 elec­tions, the US re­sponse would have been un­am­bigu­ous. Their cy­ber of­fen­sive left pol­i­cy­mak­ers with no clear prece­dent for a rem­edy or re­sponse.

Sanger ar­gues that the rush to com­pare cy­ber war with nu­clear war has pre­vented us from un­der­stand­ing how it fits into a broader geopo­lit­i­cal frame­work. How does one counter a cy­ber at­tack with­out po­ten­tially de­struc­tive es­ca­la­tion? All the op­tions seem to lead to es­ca­la­tion: Amer­i­can cy­ber war­riors could take down Rus­sian fi­nan­cial in­sti­tu­tions, re­lease de­tails of Putin’s ties to oli­garchs, make over­seas bank ac­counts dis­ap­pear—the prob­lem, Sanger writes, is that no one is quite sure where it ends. There is no model for es­ca­la­tion.

The best cy­ber at­tacks are ones that are hard to at­tribute. Hack­ing is one of the first strate­gic weapons cre­ated by the in­tel­li­gence com­mu­nity (rather than by the mil­i­tary), so one could ar­gue that the need for se­crecy is built in. Trans­parency is anath­ema to in­tel­li­gence agen­cies, so there is an un­der­ly­ing sense that any dis­cus­sion of of­fen­sive cy­ber weapons would im­pede their use—a dig­i­tal way of be­ing able to nei­ther con­firm nor deny, end­ing any dis­cus­sion be­fore it even starts. If that sounds fa­mil­iar, it should: this is what hap­pened be­fore there was a na­tional con­ver­sa­tion about drones as well.

David Cole made a strong case that ul­ti­mately it was not the Obama ad­min­is­tra­tion’s drone pol­icy that be­came the prob­lem, it was the se­crecy that sur­rounded it.* When a clas­si­fied memo writ­ten in 2010 lay­ing out the ra­tio­nale for killing An­war al-Awlaki, an Amer­i­can-born rad­i­cal imam work­ing with al-Qaeda’s arm in Ye­men, was fi­nally re­leased in ac­cor­dance with a FOIA re­quest, the big ques­tion was why the Obama ad­min­is­tra­tion fought so hard to keep it se­cret, since the memo was largely ex­cul­pa­tory.

Sim­i­larly, Sanger main­tains that the se­crecy sur­round­ing Amer­ica’s of­fen­sive and de­fen­sive cy­ber ca­pa­bil­i­ties is stand­ing in the way of our hav­ing a proper strate­gic de­bate about the fu­ture of dig­i­tal weapons. Se­crecy is hob­bling pol­icy. “For our re­sponse to de­ter at­tack­ers, it needs to be very pub­lic— as pub­lic as an Amer­i­can airstrike on a chem­i­cal-weapons plant in Syria, or an Is­raeli strike on a nu­clear re­ac­tor,” he writes, adding that ad­mit­ting to of­fen­sive cy­ber at­tacks will also change the dis­cus­sion about them. Con­sider Stuxnet, the op­er­a­tion he re­ported on in the Times in 2010:

What if they had ad­mit­ted to it, the way Is­rael ac­knowl­edges, im­plic­itly

*“The Drone Memo: Se­crecy Made It Worse,” NYR Daily, June 24, 2014.

or ex­plic­itly, that it has bombed re­ac­tors in Iraq and Syria? We might well have es­tab­lished one of those red lines: if you pro­duce nu­clear fuel in vi­o­la­tion of UN man­dates, ex­pect that some­thing bad could hap­pen to your cen­trifuges— maybe from the air, maybe from cy­berspace.

Sanger’s point is that there need to be pa­ram­e­ters, an un­der­stand­ing of what is off-lim­its. He sug­gests that com­pa­nies, not coun­tries, lay out a con­sen­sus on prin­ci­ples that will pro­tect civil­ians in a kind of “Dig­i­tal Geneva Con­ven­tion” to get the con­ver­sa­tion started. Big tech com­pa­nies, in­clud­ing Mi­crosoft, Face­book, and dozens of oth­ers have em­braced the idea. Notably ab­sent from the list of sup­port­ers are Google, Ap­ple, and Ama­zon.

An­other at­tempt to es­tab­lish a frame­work for the dis­cus­sion about cy­ber­se­cu­rity can be found in The Vir­tual Weapon and In­ter­na­tional Order, Lu­cas Kello’s book about cy­berspace, sta­bil­ity, and the world’s bal­ance of power. He does not pro­vide a his­tory of cy­ber war­fare or even a nar­ra­tive about the ever-grow­ing num­ber of at­tacks; in­stead, he dis­cusses hack­ing against the back­ground of po­lit­i­cal the­ory and in­ter­na­tional re­la­tions. He makes clear how dif­fi­cult it has be­come to find the right model to ad­dress the largely in­vis­i­ble world of dig­i­tal war­fare.

Kello, the di­rec­tor of the Cen­tre for Tech­nol­ogy and Global Af­fairs at Ox­ford Uni­ver­sity, uses Rus­sian, Ira­nian, and Chi­nese cy­ber at­tacks to sug­gest that they don’t just rep­re­sent a change in tac­tics, they are the begin­nings of a rev­o­lu­tion. He con­tends that cy­ber con­flict chal­lenges the ra­tio­nal and moral order of the world as we know it; and wor­ry­ingly, be­cause cy­ber weapons are grow­ing so fast, in­no­va­tion is out­pac­ing doc­trines that might limit their risks.

Kello has four core ar­gu­ments. The first is that cy­ber con­flict among states and non­states leaves us in an un­easy po­si­tion, some­thing he calls “un­peace”—a “mid-spec­trum ri­valry ly­ing be­low the phys­i­cally de­struc­tive thresh­old of in­ter­state vi­o­lence, but whose harm­ful ef­fects far sur­pass the tol­er­a­ble level of peace­time com­pe­ti­tion.” Imag­ine the shud­der­ing ef­fects of si­lenced cell phone net­works, traf­fic lights go­ing dark, or credit cards ren­dered use­less. While it is short of war, it is desta­bi­liz­ing all the same. Sec­ond, Kello con­tends, be­cause of the im­per­fect abil­ity to at­tribute at­tacks, tra­di­tional tools of de­ter­rence don’t work. Third, schol­ars and pol­i­cy­mak­ers view hack­ing from dra­mat­i­cally dif­fer­ent per­spec­tives. And fi­nally, we have yet to un­der­stand how it is rewrit­ing the rules of con­flict.

The most en­gag­ing part of the book comes when Kello calls for a “Congress of Dis­ci­plines,” a gath­er­ing of tech­nol­o­gists, an­a­lysts, po­lit­i­cal sci­en­tists, lawyers, and philoso­phers to do for cy­ber war­fare what the “Wizards of Ar­maged­don” did in the 1950s and 1960s to set the stage for arms con­trol in the nu­clear age. The prob­lem is that mem­bers of Kello’s congress will have a dif­fer­ent chal­lenge than that of the Wizards who pre­ceded them. Coun­tries that de­vel­oped nu­clear weapons were likely to be a fi­nite group be­cause there were ma­jor bar­ri­ers to join­ing the nu­clear club: you needed money, in­fra­struc­ture, and spe­cial­ized knowl­edge. Cy­ber weapons are more demo­cratic: be­com­ing a cy­ber power re­quires the same skills as an en­tre­pre­neur—imag­i­na­tion, de­ter­mi­na­tion, and a lap­top. “The cy­ber age pre­sents an irony,” Kello writes:

It awards tech­no­log­i­cal vir­tu­os­ity with peril. Ev­ery ad­van­tage borne of the new tech­nol­ogy also in­vites its dan­gers. On­line bank­ing en­ables cy­ber­crime; dig­i­tal com­mu­ni­ca­tions bring forth sur­veil­lance; com­put­er­ized in­dus­trial sys­tems al­low in­fras­truc­tural dam­age; and so on.

In his view, this is the dilemma of our time. “Those na­tions that are most adept at har­ness­ing cy­berspace to achieve eco­nomic, so­cial, even mil­i­tary gains are also the ones most vul­ner­a­ble to threats prop­a­gat­ing through it.” In­deed, the mul­ti­fac­eted na­ture of the prob­lem has proven to be a cross­do­main night­mare for pol­i­cy­mak­ers. While ac­tivists and jour­nal­ists have been warn­ing for years about so­cial me­dia’s ero­sion of our ba­sic pri­vacy, who could have pre­dicted that our “likes” on Face­book could be trans­formed into elec­tion in­sights? Big Data, ar­ti­fi­cial in­tel­li­gence, and ma­chine learn­ing are even trans­form­ing how we think about think­ing and the way knowl­edge evolves.

And all this is un­fold­ing, Sanger notes, with­out a con­ver­sa­tion or a grand strate­gic de­bate about cy­ber con­flict it­self. One would have thought that Stuxnet would have pushed pol­i­cy­mak­ers fur­ther in that di­rec­tion. In­stead, they re­main flum­moxed, un­able to re­spond to a sit­u­a­tion in which both sides are ex­ploit­ing vul­ner­a­bil­i­ties in com­puter net­works at such a pace that es­ca­la­tion seems in­evitable. Sanger’s mes­sage in The Per­fect Weapon is that in the next few years, when these cy­ber weapons are com­bined with ar­ti­fi­cial in­tel­li­gence, cal­cu­la­tions may go awry, mis­takes will be made, and these stealthy cy­ber con­flicts will dis­as­trously es­ca­late to af­fect phys­i­cal in­fra­struc­ture be­fore peo­ple have the time, or the sense, to step in. While the White House seems to be shirk­ing its re­spon­si­bil­ity in this de­bate, the Pen­tagon is be­gin­ning to step into the breach. In late June De­fense De­part­ment of­fi­cials told the House Armed Ser­vices Com­mit­tee that they had a plan to shore up the Pen­tagon’s poli­cies re­gard­ing con­trac­tors and the cy­ber­se­cu­rity they prac­tice with an ini­tia­tive called “De­liver Un­com­pro­mised.” The plan is to add a fourth pil­lar to the ac­qui­si­tions process: in ad­di­tion to lay­ing out the cost, sched­ule, and per­for­mance of their pro­grams, con­trac­tors would have to pro­vide de­tails about their cy­ber­se­cu­rity pro­tec­tions as well.

News of the plan came just weeks af­ter The Wash­ing­ton Post re­ported that the Chi­nese govern­ment had suc­cess­fully com­pro­mised the com­put­ers of a navy con­trac­tor and had snatched highly sen­si­tive in­for­ma­tion about US sub­marines, in­clud­ing plans to de­velop su­per­sonic anti-ship mis­siles that could be de­ployed on subs as early as 2020. De­fense De­part­ment of­fi­cials briefed law­mak­ers on the de­tails of that hack in a closed, clas­si­fied session. —Septem­ber 12, 2018

Staffers at the Na­tional Se­cu­rity Agency, Fort Meade, Mary­land, Oc­to­ber 2002

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.