During World War I, airplanes were made of wood, fabric, and baling wire, and barely topped 100 mph. For David E. Sanger, that’s about the relative level of today’s cyberweapons.
Which is not to say they aren’t an extremely dangerous threat. Just that we’re only beginning to grasp the destructive potential of cyberweapons — and the complex challenges of containing them.
“When the Wright brothers first sold their Flyer to the military,” said Sanger, author of The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, “the generals did not have in mind that it would be armed and used for dropping bombs.”
Thirty-seven years later, airplanes destroyed two Japanese cities with nuclear weapons.
“We have to have the same humility about cyber,” said Sanger, who is also a national security correspondent for The New York Times. “We understand what the means of distribution is right now, but we don’t understand what the warheads that get put on this malware will look like.”
Unlike the nuclear age, however, the doctrine of mutual assured destruction (MAD) is murky at best. If, for example, Russia, China, or North Korea used malware to knock out a major U.S. power grid, the United States would respond in kind. But below that uneasy balance of terror lies a massive, ill-defined gray area that is devoid of clear strategy or international agreements.
“The cyber Pearl Harbor phraseology,” Sanger warned, “while meant to wake up Congress, is actually what I’m least worried about. Because the much more pernicious, subtle use of cyber to which we have not figured out a good deterrence, to which we probably wouldn’t use the military in response, is the more likely way for adversaries to go.”
Destruction and Stealth, on a Budget
It’s the stealth, flexibility, and cheapness of cyber that makes it “the perfect weapon” in Sanger’s view.
“It’s available to failing states like Russia,” he explained, “which wants to make the maximum use of it for destruction, or states like North Korea, one of the poorest in the world but able to organize this national power to launch effective attacks against Sony and many others. Second, it’s easily targetable. Third, you can dial it up and dial it down so that you can calibrate your cyberattack.”
Such “short of war” attacks include everything from destroying the centrifuges Iran used to refine nuclear bomb fuel, as the United States and Israel did beginning in 2008, to Russia’s efforts to manipulate elections in both Ukraine and the United States.
The question of how to respond to such disruptions of banks, businesses, and government and military institutions continues to unnerve leaders.
“It’s really confounded American planners, because while we like to throw around the phrase cyberwar, what we really have here is low-level, perpetual cyberconflict,” Sanger said. “The better analogy is not nuclear weapons, it’s terrorism. Where there’s always the threat of terrorism around.”
“Cyber should be thought of in the same way,” he added. “You’re not going to stop all cyberattacks, you’re trying to stop the truly big ones or have the resilience in place that if you do get hit by something truly big, you’re back up and online and not disrupted.”
Counterstrikes and Rapid Escalations
Meticulous planning to recover from a cyberattack is hard enough. But deciding when to fight back can be a bigger challenge.
“President Trump has signed a new executive order whose contents have remained secret,” Sanger said. “But we’ve been told enough about it to be able to infer if he has devolved some of that authority down to the NSA, Cyber Command, and so forth, to conduct more cyber operations without having to get explicit presidential authority.”
That gives lower-level officials more freedom to respond to an attack in its early stages, when speed is critical. The risk, Sanger warned, is of an escalation that spirals out of control. As with so many questions around cyberwar, there are no easy answers.
“The good news,” Sanger said, “is you’re going to operate at network speed. You can’t be going back to the president for every little activity you’re doing online.”
“However,” he added, “you want to make sure that the president and others are not only in the loop but fitting this into a broader strategy if there’s fear of escalation with a power that can come back at you. China, Russia, whatever. You don’t want to get into a cyber tit for tat that escalates so rapidly that suddenly things spill over into military, financial, or other arenas.”
A Cyber Manhattan Project and Geneva Convention
Businesses can easily wind up in the crossfire between nations, as Sony discovered when it was hacked by North Korea in 2014. And Saudi Aramco when it was attacked by Iran in 2012.
Sanger stresses that companies need to spend “thousands, millions, in some cases maybe even billions collectively on cyber defenses.” And in The Perfect Weapon, he also calls for a government-led effort on the order of the Manhattan Project, “to lock down our most critical systems.” The goal is “deterrence by denial,” convincing a potential enemy that an attack would futile.
But even with such massive undertakings, Sanger believes that purely technical measures are not enough.
He argues that global business, government, and technology leaders should follow the lead of another historic 20th-century initiative, creating strictures for what can and can’t be attacked.
“We need to begin to develop a common set of norms of behavior where we determine what’s off limits,” Sanger said, “because of the need to protect civilians, much as the original Geneva Convention was focused on protecting civilians who are caught in the crossfire of war.”
Sanger acknowledged that state-run hackers are not the only threat. “There are also criminal groups,” he said, “there are also terror groups, there are also teenagers. Most of those don’t sign treaties.”
Still, he asserted that international agreements are critical, and business leaders should be part of the discussion.
“I think companies will come to realize over time that it is not simply enough to invest in cyber protections,” he said. “That they’ve got to begin to invest in the kind of geopolitical solutions to this problem. You’re going to have to manage it with allies.”
Disrupting the Hearts and Minds of Voters
In the meantime, the low-level, seemingly perpetual cyberconflict of which Sanger speaks will only continue.
For the most part, Sanger does not expect major disruptions to the 2018 midterm elections. “It’s too hard for a state to figure out where their interests lie,” he said. “Do you support this candidate or that candidate in the third district in Missouri?”
At the same time, he warned that we should never underestimate the potential of cyberattacks. In 2016, few imagined that Russia would try to influence the outcome of the U.S. presidential election. Yet those efforts followed an already-established playbook.
“Everything they ultimately did in the United States in 2016,” he said, “they had done previously in Ukraine and elsewhere. Yet we were kind of tuned out to it. We sent teams to go examine what they did to the power grids because we were thinking Pearl Harbor kind of attacks. But we did not spend time thinking terribly hard about all of the other things they were doing because we had a failure of imagination.”
With emerging technologies on the near horizon, we can’t risk the same lack of imagination that followed the advent of aerial warfare in the last century. Artificial intelligence, for example, could remove humans from decision chains, resulting in uncontrollable escalations. While quantum computing threatens to break existing encryptions.
The United States, Sanger believes, is particularly vulnerable. It’s highly connected, yet many networks remain backward and unsecure. And, he wrote, “we clearly are not prepared for the day when each American action in cyberspace triggers an escalating response.”
As difficult as these challenges are, Sanger believes that strong leadership, combining technical, political, and diplomatic solutions, is the best way forward.
“I think that the question is not whether we’re ahead of every tactic and technology,” he concluded, “but whether or not we’ve got the kind of broad, strategic approach to dealing with cyber threats that we developed slowly in the 1950s to deal with nuclear threats.”
Did you like this article?