CyberWire Daily - David Sanger on the HBO documentary based off his book, "The Perfect Weapon". [Special Edition]
Episode Date: November 1, 2020On this Special Edition, our extended conversation with author and New York Times national security correspondent David E. Sanger. The Perfect Weapon explores the rise of cyber conflict as the prima...ry way nations now compete with and sabotage one another. ‌ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Hey all, Rick Howard here. In this Cyber Wire special edition, an extended version of my interview with David Sanger,
the noted New York Times journalist, three-peat Pulitzer Prize winner, author, and now producer
for an HBO documentary about his most recent book, The Perfect Weapon, How the Cyber Arms Race Set
the World Afire. The Cybersecurity Canon Committee inducted his book into the Hall of Fame this past
summer, and the documentary started streaming on 16 October on HBO and HBO Max.
And for those of you who don't know, I am a huge fan of cybersecurity books as means to stay current in my profession.
And I am a founding member of the Cybersecurity Canon Project that's designed to find and recommend books to the network defender community that are must-reads.
If anybody has ever asked me about what is the one book they should read to get a sense of the cybersecurity community,
I would always recommend an old favorite, Cuckoo's Egg by Dr. Clifford Stull, published in the late 1980s.
That book convinced a lot of people back in those days to pursue cybersecurity as a career, including me.
But if there is any book that could potentially knock Cuckoo's Egg off that lofty perch, it is Sanger's Perfect Weapon.
perch, it is Sanger's perfect weapon. He has captured completely the seminal paradigm shift in thinking by nation states in this last decade, from cyber being a novelty item with limited
capability and use, to cyber being a strategic tentpole lever as an instrument of political
power and influence. Transat presents a couple trying to beat the winter blues. We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Here is David explaining what the book and documentary is about. was that we went through years in which, in the national security world,
people viewed cyber as this sort of interesting side,
irregular warfare kind of thing that, you know,
was sort of a nice thing to spend a half an hour learning about
while you were spending the year or two years or your career
learning about traditional national security.
And what have we discovered in the time since?
That it's not the sideshow, it is the show.
That in a world in which no one wants to take on the U.S. military directly
for all the understandable reasons,
it is suddenly possible to undercut American power
or another adversary's power
by using a short-of-war cyber-related weapon,
whether you are hacking into infrastructure,
dams, voting machines, electric power grids, a financial system, or whether
you're hacking into mines. The information wars that we've seen surrounding the 2016 election
and begun to see in 2020, although here in the 2020 elections we'll discuss, we've got some new
concerns that go beyond what the Russians did four years ago.
Before 2010, most nation states, including the U.S., thought about cyber as a novel tool for a
subset of cyber espionage requirements. By 2020, though, cyber has become the political lever to
pull for nation states like China, Russia, and the U.S. that are just short of actual warfare. These nations can
do extreme damage to each other in the cyber arena without the fear that the action will escalate
to an actual shooting war. For smaller nations like North Korea and Iran, cyber has become the
great playing field leveler. These smaller nations can exact the same kinds of damage as the big boys
now at a fraction of the cost compared to trying to match the USA in numbers of tanks, aircraft carriers, and jets.
From the HBO documentary, here is Amy Ziegart.
She is a senior fellow at the Freeman Spogli Institute for International Studies at the Hoover Institution and professor of political science at Stanford University. The evolution of cyber has happened very quickly
in terms of its importance to the United States
and the organizational dimension of it in the U.S. government.
In 2007, the director of national intelligence issues his threat assessment
of all the threats against the country.
The word cyber isn't in it a single time.
all the threats against the country, the word cyber isn't in it a single time.
Fast forward just a couple of years, you have the creation of Cyber Command.
Fast forward a couple more years, it's 2012. Suddenly, cyber has gone from not being mentioned at all in those threat assessments to being one of the top three threats facing the United States.
The event that started this monumental change is known as Operation Olympic Games,
the codename that the U.S. used to classify the cyberattacks targeting the Iranian nuclear program
that became known to the public as Stuxnet.
Well, Stuxnet was an American-Israeli effort to undermine Iran's nuclear program by going after the
centrifuges, the high-speed machines they use to enrich uranium. Now, in a previous age, Rick,
you would have done that either by bombing the centrifuge center from above or sending in
saboteurs. But both of those methods, contemplated at the end of the Bush
administration by the U.S. and by Israel, would have had one thing in common. They would have
started another war in the Middle East. So a group of intelligence officials and generals came to
Bush toward the end of his term and said, sir, we've got another way to get at this.
his term and said, sir, we've got another way to get at this. We can put code into the machines that control the Iranian centrifuges at Natanz and blow them up. And Bush looked at them and said,
yeah, sure. But he authorized them to go ahead and do the experiment of trying to do this
in a test system in the United States. So they took a bunch of the centrifuges that we
got from Libya when it gave up its nuclear program. They have the same kind that Iran has,
no accident. The Pakistani scientist A.Q. Khan sold them both to them and put them into an
underground hillside location in Tennessee, applied the code to it, made some blow up,
brought the shards back to the Situation Room,
invited Bush down, he looked at them,
and well, what he said, I can't say on a nice broadcast
like the SciWire, but let's say that it would be described
in the New York Times as a vivid
and colorful Texas epithet.
That's excellent.
Which they took as permission to go out and put them into Iran.
And then, of course, famously, the code got out, and that's what you call Stuxnet.
Nobody in the U.S. government called it Stuxnet.
They called it Operation Olympic Games, which was one of the most classified operations they had going. Once the code got out in the summer of 2010, it began
to spread around the world. And that set me and some of my colleagues off on a big journalistic
hunt to figure out where this code came from. And eventually, it took a year and a half of reporting. We tracked it back to
the Bush administration and then handed off to the Obama administration. And meetings in the
Situation Room where they were picking targets in Iran the way Lyndon Johnson used to pick targets
for Vietnam in the same room. When President Bush decided to approve Olympic Games,
it was a good solution for him at the time. He could potentially slow down the Iranian nuclear program and not have to
roll the tanks into Iran. What he didn't account for is the idea that this action opened the flood
gates for other nation states to emulate. Here is David from the documentary this time, and you can
tell that because there is music playing in the background. They had crossed the Rubicon. The United States had basically legitimized the use of cyber
as a weapon against another country against whom you had not declared war.
It pushed the world into an entirely new territory.
Once the Iranians took the punch, Iran said, oh, that's the way the game is played.
All right, I get this now.
And then they started to unleash against the United States.
Bright light city gonna set my soul, gonna set my soul on fire.
That was Jason Healy from the documentary.
He is a senior research scholar at Columbia University's
School for International and Public Affairs,
specializing in cyber conflict, competition, and cooperation.
And a little bit of Elvis to get us in the mood
for the Iranian cyber attacks against the Sands Casino in Las Vegas.
Right after Stuxnet, we saw the Iranians attack Saudi Aramco,
the world's largest maker of, producer of oil.
They lost about 30,000 computers.
Iran's cyber groups improved.
By 2012, they were going after financial centers in the United States,
although it took the U.S. intelligence operations a long time
to figure out where that was coming from.
So Bank of America, Citigroup, all those,
that's when they sort of first got religion about the need to protect their networks. There's a scene in the documentary
in which Sheldon Adelson, who's a big Republican contributor, goes to Yeshiva University and is
giving a talk one day about the Iranian nuclear program. And he says, you know what we ought to do?
We ought to take a nuclear bomb and explode it in the Iranian desert and sort of glassify it.
And then send the Iranians a note and say to them, this is what's going to happen to Tehran if you don't turn over your nuclear program.
Now, I teach national security stuff in a graduate course at the Kennedy School at Harvard.
security stuff in a graduate course at the Kennedy School at Harvard.
And I would not call this the most subtle strategy that I've ever heard.
But, you know, it's a strategy.
When I heard him say that on the documentary, I said, oh, yeah, that's going to turn out well.
Yeah.
So it turns out that not only you were listening to him say it, but who knew the Iranians get
YouTube?
listening and say it, but who knew the Iranians get YouTube? And they watched him say it.
Sheldon Allison, Desert Sands. Wait a minute. This guy owns a casino, doesn't he? He does.
He owns the Sands Casino. And what do you know, about three months later,
his employees walked in and discovered their hard drives had been wiped clean.
The significance of the Iranian Sands Casino cyber attack is that a small nation state who doesn't have the military power of a U.S. or Russia or China can take out a small city via cyber in a country of one of their enemies.
Because casinos are really small cities.
Besides the gambling, they have restaurants, entertainment, shops, a police force, medical facilities,
power generation, and an entire host of administration that is equivalent to the cities of, say, Baltimore or San Antonio.
But since the Iranian Sands Casino cyber attack worked,
the North Korean leadership decided they would try their hand in a similar way to pressure a Hollywood studio, Sony, from releasing a movie that was critical of its
leader. The North Korean hacker group Guardians of the Peace, or the North Korean Military
Intelligence Group, took offense to the movie, The Interview, written and directed by Seth Rogen,
and launched a crippling cyber attack against
Sony's IT infrastructure. But they also took a new step. Before they destroyed everything,
they collected embarrassing documents about movie stars and directors and Sony executives
and dumped them to the press and other nefarious sites. Here is Dmitry Alperovitch,
the co-founder of CrowdStrike, and Amy Ziegart again of Stanford
University. We had seen criminal hackers and hacktivists use this hack and dump technique
to intimidate victims on a small scale. That was the first time we had seen a nation state
do it very effectively. The first thing that the North Koreans did was give it to reporters,
and then when they've exhausted that channel, they gave it to Wikileaks.
This was all very valuable information to the company. Trade secrets like scripts before
movies were released, detailed contract information about what had been paid to whom.
From small nations like Iran and North Korea attacking the Sands Casino and Sony,
the documentary shifts to one of the big powers, Russia.
For the last decade, Ukraine has been the brunt of the Russians practicing their warfighting philosophy called Gerasimov.
Essentially, war that merges conventional attacks, terror, economic coercion, propaganda, and cyber.
The culmination of that effort led to one of the most damaging cyber attacks of all time,
NotPetya.
Here's David again.
So NotPetya was probably the most damaging hack ever done in terms of monetary damage.
It was designed to attack Ukraine and bring it to a halt by going after an accounting system that all Ukrainian businesses
are required to use by the tax authorities. But I think it ran on like Windows XP. And,
you know, that's mostly what people in Ukraine were using. And not all of those, again,
I know you'll be shocked. Not all of those were legal copies.
Oh, again, shocked, like you said. Yeah.
I happened to be in Ukraine when NotPetya was hitting, and I had gotten in late to Kiev,
and I walked across the street from my hotel because all the restaurants in the hotel were shut down. And remember the days when we used to fly around the world? No, it's all fuzzy.
And I had no cash with no Ukrainian cash with me. And I tried to pay for, you know,
my dinner with a credit card. There wasn't a credit card machine in the country that was working.
In the documentary, a number of experts chime in to talk about the NotPetya attacks.
In order of appearance, here they are.
Dmitry Shymkiv, who was Ukraine's deputy head of presidential administration at the time,
Dmitry Alperovich again, the co-founder of CrowdStrike, Michael Reilly of Bloomberg News,
and Amy Ziegert again of Stanford University. It was June 2017. I'm deputy head of the presidential administration.
Took a few days vacation to drop my kids to the summer camp.
And in the morning, I start receiving text messages from my team.
They think Ukraine is under attack.
Our infrastructure is registering attacks.
The virus is destroying computers.
You know, ATM machine was not working.
Hospitals reported that their computers had been down.
TV station, grocery stores.
It was devastating.
It was spreading like fire.
Ukraine is Vladimir Putin's petri dish.
It's where he experiments on every single technique
that he ultimately ended up using in the United States,
breaking into emails and making them public,
sowing chaos with disinformation.
Russia was constantly testing different strategies
and different approaches in Ukraine.
Attacks on the electrical grid, 2015-2016. Attack on the transportation infrastructure.
Odessa airport, Ukrainian subway in Kyiv. You don't see the regular war, but war is
taking place and it's devastating.
With this Napechi attack, what the Russians didn't count on is that the spreading algorithms
that they put in were so aggressive that it wouldn't just contain itself to the network
of one company.
Any firms with any links to Ukraine are being contaminated by this contagious virus.
It would quickly jump out and compromise contractors, other networks that you may be connected with.
Escapes the box and it begins to hit corporations and companies all around the world.
Maersk Shipping was one. FedEx was another.
They lost hundreds of millions of dollars of business just from the loss of business operations
and the money they had to pay to remediate the damage to their systems.
As the Russians gained experience and success in Ukraine,
they started to include the U.S. as a target. Here's David again. Well, against us, we saw it in
the early attacks on the Pentagon, which really are what resulted in the creation of Cyber Command,
and we take you through that a little bit in the documentary. But they also went after the email systems at the White House, the Joint Chiefs of Staff, the State Department.
They got into the State Department systems.
In fact, to the point the State Department had to close down their systems at various points.
And all of these led the United States to do absolutely nothing in return.
All of these led the United States to do absolutely nothing in return.
And so if you're Vladimir Putin and you're thinking,
okay, if these guys aren't going to defend the White House system,
why would we possibly think that they would care about the Democratic National Committee?
And the answer is that Putin concluded they probably won't.
And, you know, what's really remarkable is Cyber Command came up into being.
They were focused on things like taking out ISIS, which was definitely a big issue in 2016.
And they really weren't looking internally at our election system. And so this combination of hack and leak, of break into the DNC,
of make this stuff public, of the Facebook ads, of the influence campaign,
it's not like they had their radar off the way the U.S. military did in Pearl Harbor.
military did in Pearl Harbor. Rick, they hadn't even built the radar. Now, we're doing better this year because they had built the radar. But of course, the Russians are trying some new and
different techniques. CrowdStrike was the incident response firm that the DNC called when they
realized they were in trouble. Here is Dmitry Alperovich again describing what they found.
The call came out on Friday, so it took us a few days
for us to go into the network and find infected machines on the network.
This wasn't just on one system.
There were hundreds of systems that were being impacted.
We started looking at the malware and immediately realizing
that this was malware we had seen many times before,
that we had high confidence attribution to the GRU, the Russian military intelligence.
We're seeing them spread from system to system, touch files, take those files out of the network,
stealing data, monitoring everything.
You can't just shut down one machine because they're everywhere,
so you have to shut everything down
and spend several days rebuilding all the infrastructure.
We told the DNC,
when do you want us to do this remediation?
At the time, the primaries were in full swing.
Hillary Clinton had not yet locked down her nomination,
so they said, let's plan for four or five weeks from now
when the primaries are over and we're not under the gun. Waiting a few weeks did not seem
outrageous. Of course, over that period of time, the Russians continued stealing documents and
we're sort of helplessly watching them. And then the Russians ran a play from their
dog-eared playbook that they had been using in Ukraine for a while now. A play that the North
Koreans started with the Sony attacks. The Russians started dumping embarrassing documents to the
public and began pitting opposite sides against each other on social media in a coordinated
influence operation. Here is Alex Stamos, an adjunct professor at Stanford's Freeman Spogli
Institute and visiting scholar at the Hoover Institution. But during the 2016 presidential election, he was the Facebook CSO.
During the election, we had a dedicated team at Facebook whose job it was to look for Russian
actors. And we had found GRU activity, we had found DC leaks. We had found them pushing
disinformation, but not really at scale. And we really didn't understand what was behind the vast majority of this fake news.
But right after the election, we took all of the political ads that were run in the United States in the year before the election.
And then we figured out all the accounts that were possibly tied to it.
So this is the people who ran the ad, but it's then also people who use the same computer as the person who ran an ad,
or people who have used the same phone as the person who ran the ad, but it's then also people who use the same computer as the person who ran an ad, or people who have used the same phone as the person who ran the ad. And then for every single one of those
accounts, we looked for possible links to Russia. We start pulling that thread, and then we
eventually find this cluster that we can all link together, and that was the Internet Research Agency.
Which brings us to the end of my interview with David Sanger about his excellent book and now his excellent documentary.
Let him have the last word on the subject.
So we brought it sort of up to date.
You'll see a lot of different people talking about what it's like to have been on the receiving end of this and the sort of fog of war.
and the sort of fog of war.
You've got everyone in this documentary from Hillary Clinton and John Podesta,
who sat down to talk about the 2016 election,
to Seth Rogen, who was the star of, of course, the interview.
And he is very funny, I do have to say.
And you'll see people like Eric Rosenbach, co-director of Harvard's Belfer Center,
but was the chief of staff to Ash Carter at the Pentagon when he was secretary of defense,
talking about the calculus that you make as you're under cyber attack
or as you're trying to think about what the U.S. can go do.
So the idea is to bring you in at a very human level
to the kind of decisions that have to be made when you're on the receiving end and when you're on the offensive end.
The book and now the documentary is called The Perfect Weapon,
How the Cyber Arms Race Set the World Afire.
HBO and HBO Max started streaming the documentary on 16 October 2020.
And many thanks to David Sanger
for being a guest of the show.
From everyone here at the Cyber Wire,
I am Rick Howard.
Thanks for listening.