Pod Save the World - Cyber war

Episode Date: June 29, 2018

Tommy talks with New York Times reporter David Sanger about the new world of cyber warfare. From North Korea's attack on Sony to targeting of Iran's nuclear program and Russia's invasion of Ukraine, c...yber attacks are increasingly used first in war even though there's no rules of engagement and little public debate.

Transcript
Discussion (0)
Starting point is 00:00:05 Welcome back to Pod Save the World. Thank you guys for tuning in this week. The conversation I had today is about cyber warfare. We touch on attacks against Iran's nuclear program, North Korea's missiles, and Seth Rogan. Yes, it is confusing. It is complicated, but it is enormously important because these are the weapons of the future, and we are going to have to deal with this sooner than we hope. My guest is David Sanger, he's one of the smartest reporters out there, and I believe you are going to enjoy the conversation. So here it is. guest today is a gentleman named David Sanger, who is the National Security correspondent and senior writer for the New York Times. He's the author of the new book, The Perfect Weapon, War, Sabotage, and Fear in the Cyber Age. David, we have known each other a very long time. It is funny to be on the other end of interviewing you, and I'm very excited that you're here today. Well, thanks, Tommy. We have known each other for a long time, and it's probably just as well that your listeners don't know the details. Yes, that's exactly right.
Starting point is 00:01:10 And it's probably pretty good that I'm no longer in government and privy to classified information because it seems like you have managed to dig up some fascinating, sensitive stuff in here. And the last time we worked together on a book that included that kind of information. We both ended up getting lawyers and I got interviewed by the FBI. But I want to dig into that story later and first start with the obvious place, which is by talking about Seth Rogan. Now, I suspect no one in the White House, the NSA, the Pentagon, or probably in Hollywood,
Starting point is 00:01:42 expected Seth Rogen to be the center of a debate about the future of global warfare. But that's what happened. It started with a release of a movie called The Interview. Can you remind us all why that movie so thoroughly pissed off the North Koreans and what they did in response? Well, let's start with the obvious and most important fact here. This was a truly terrible movie. Okay. That's outrageous.
Starting point is 00:02:05 There's an anecdote in the book where you have Obama getting briefed on the attack in the Oval Office. And some unnamed official says, I never thought I'd be in here briefing you on a bad Seth Rogen movie. And Obama says, how do you know it's a bad movie? And this unnamed staffer says, because, sir, it's a Seth Rogen movie, which is bullshit. Super Bad is Great. This Is The End is hilarious. I enjoyed the interview. I was offended by this.
Starting point is 00:02:28 You were. Well, you see, what happened when you left the White House, everything fell apart, including their movie taste. People with good taste moved in, okay. Right. So what this movie envisioned, it was obviously a comedy, and it imagined two reporters going to North Korea to interview Kim Jong-un, and the CIA engages them and tries to get them to basically become their hitmen to kill Kim Jong-un at some point during the interview or after it.
Starting point is 00:03:00 Now, as you know, Tommy, since you spent a career in Washington here dealing, with journalists. If you were going to hire hitmen, would you hire journalists for that job? Probably not, no. Yeah, unrealistic. Yeah, probably the least competent people I can think of, having been around journalists and been a journalist for a long time. So the North Koreans heard about this plot line even before the movie came out. And so they did the only reasonable thing that you would do if you wanted to stop a movie from coming out in Hollywood, which is they wrote a letter to the Secretary General of the United Nations. because you know just how influential he is with the Hollywood crowd.
Starting point is 00:03:40 And when that predictably failed, they had their hackers burrowed deep into the Sony systems. This was 2014. And they were very patient. They did what good hackers do. They spent months mapping out the system, figuring out what was connected to what and how they could do the most damage to the system. While a lot of people only vaguely remember the Sony hack, and if they do probably remember it for a series of emails that suggested that Angelina Jolie was difficult to work with on the set. Oh, right. In fact, the import of the Sony hack was that it melted down about 70% of Sony's computer systems.
Starting point is 00:04:23 Wow. And interesting question, it's completely paralyzed Sony Pictures Entertainment. They had to go write their paychecks at the end of the week using like these old. paycheck machines from the 60s and 70s. So they were completely fried. And that was one of the first truly destructive hacks. The United States, of course, had done one against the Iranians. That was the one for which I wrote some in the last book. That's the one that got you that visit from the FBI, Tony. Sure did. Tommy, which we can come back to in a little bit. But this particular hack was remarkable because it was against a private company.
Starting point is 00:05:03 And the debate that took place in the White House was, was this an act of war? Right. How do you respond to this? Right. And it's kind of a fascinating question because supposing for a minute that the North Koreans did not have access to cyber. And instead, they had landed a bunch of commandos at Long Beach and called an Uber and gone up to the Sony studios. you know, remarking to each other that they couldn't imagine that much traffic in the world, right? Because they come out of North Korea. And then they joined the studio tour. And then they stick some dynamite
Starting point is 00:05:37 underneath the computer center and they run like hell and hang out in a bar. If they had done that and the computer center had been blown sky high and you would have seen photographs or a video on CNN of it burning in front of the Hollywood sign, any American president would have been forced to go make something blow up in Pyongyang, I'm fairly well convinced. I'd be interested in your view on that. Instead, because they did it in a purely cyber way, there was no equivalent outrage. And the president, President Obama in the end, denounced them and put on some sanctions that I doubt the North Koreans ever even noticed amid all the other sanctions that had been put on North Korea. Right. And it's funny, you're not being hyperbolic. I mean, you were reporting from inside
Starting point is 00:06:24 the room where this was debated. And Obama ultimately called this an act. of cyber vandalism, but other national security officials said that this was the equivalent of planting a bomb inside Sony. But a complicating factor here is determining exactly who conducted a cyber attack, but then figuring out how to respond because apparently, according to your book, the only way to get into North Korea's networks to respond with an attack of our own was going through China, which could make the Chinese feel like we were attacking them. So this is not a simple policy response debate either. And it wasn't the only time. We You had times when we wanted to go after ISIS, where the debate was, could we go through German networks without telling the Germans?
Starting point is 00:07:03 Because a lot of the ISIS recruiting material was stored in the cloud in German systems. So this has been a very big issue across many years. And it gets to a big theme of the perfect weapon, which is you can have the greatest cyber weapons on Earth. And the United States still does. but you're going to be hesitant to use them if you believe that your system is so vulnerable, your systems are so vulnerable, that somebody's going to be able to go strike back. And because the U.S. is the most connected nation on Earth, we're nothing but vulnerabilities. And every time we create another internet-connected refrigerator or another internet-connected autonomous car,
Starting point is 00:07:48 we're actually increasing the target space. Right, right. And I want to start with North Korea because you don't hear North Korea. Korea and think tech savvy country full of young hackers. It's a closed-off society. They don't have kids growing up on the internet and just figuring stuff out. So they had to work at it. And it happened slowly under Kim Jong-il, who would have North Korea's UN employees enroll in computer science classes while living in New York, a very subtle move that was quickly noticed by the FBI. He also dispatched engineers to Russia and China for training. But when Kim Jong-un assumed power,
Starting point is 00:08:19 he really hit the gas, right? So how good are the North Koreans now and how How did they progress so quickly? Well, if you had to rank countries right now after, you know, the United States, Britain, Israel, or among the best, I'd say you'd probably say the Russians are the best, the Chinese right behind them, and the Iranians and North Koreans after that. And then there were a lot of upcoming countries because we think they're between 30 and 40 countries that now have a sophisticated cyber capability. And Tommy, when you and I were jousting over this stuff six, seven years ago, when you were
Starting point is 00:08:54 still the White House, I would guess there were maybe three or four countries, five countries that had that kind of capability. So it gives you a sense of the speed at which this proliferation has taken place. The reason that's happened and the reason the North Koreans have gotten good is that the price of entry is just dirt cheap. If you want to build nuclear weapons, you need plutonium, you need uranium, those aren't so easy to get in refined form. then you need to have, you know, multi-million, if not multi-billion dollar facilities to be able to turn that fuel into a bomb and develop the missiles to go deliver it.
Starting point is 00:09:30 If you want to build a good cyber force, you need some laptops, you need some young coders, you need to be able to spread them around the world so they have lots of access to the Internet and can hide their whereabouts. And you need a couple of cases of Red Bull. And that combination is about the totality of the cost. So when I called this book the perfect weapon, it's because it's the perfect leveler for smaller states that want to come up with a way to have a short-of-war attack on a much larger state, especially the U.S. Yeah, it's the perfect asymmetric warfighting tool. Stepping back a bit, I think, I imagine reporting on cyber warfare probably mirrors the difficulty in development. policy around it because it feels very hard to define for me. Like, for example, I know what nuclear proliferation means. It means building more nuclear missiles. I know what a missile is or a
Starting point is 00:10:25 tank or a fighter jet. I can define what those weapons are. I can't really define in my own head what a cyber weapon is. Can you explain it or is it amorphous? No, I think you can't explain it. A cyber weapon is based on a vulnerability in somebody's code. And since we now have so much code around the world, running your iPhone, running your PC, running industrial controllers, running nuclear power plants. Whenever there's coding, there's going to be errors in coding, mistakes that allow somebody to get in, that allows somebody to manipulate the system. If these errors have never been found before, they're usually called zero-day flaws. And that means you have zero days of warning that this is a vulnerability to you. You're first going to discover it when it happens.
Starting point is 00:11:14 And you may remember from your time back in the NSC that a process was built at the White House to begin to evaluate when these vulnerabilities came up and came to the attention of the U.S. government or when they went out to go by vulnerabilities. Do we report this to industry? You know, warn Microsoft and Google and all those that this flaw is there so that they can patch it and protect all of us? Or do you keep it and tuck it away in your arsenal and build a weapon around it that exploits it so that you have a weapon that you can use against someone else? And if you believe the reporting that the NSA and others had, they kept about 10% of all the flaws plus or minus and they reported to industry 90%. Wow, that surprises me. Now, it surprises you,
Starting point is 00:12:05 which way? That they would hold on to so many. I mean, it feels like that's a It is a pretty big risk. On the other hand, they felt that if they didn't hold on to anything, they were basically unilaterally disarming because the Russians and the Chinese are looking for these flaws as well and the Iranians and the North Koreans and the North Koreans and teenagers who are hoping to sell these flaws on the open market and you can make a lot of money doing it. So they felt that if they didn't do that, they were basically surrendering in the war. Right. Now, then once you have the vulnerability, then you build your weapon around that vulnerability.
Starting point is 00:12:41 Now, part of the book goes into something that happened, you'll be glad to know, after you left the White House, which is that we built up this big arsenal of weapons. Imagine a storehouse of cyber weapons, the way you'd have a storehouse of, say, missiles. And then someone broke in or an insider slipped them out, and all of a sudden in the middle of the summer, of 2016, some of these weapons started showing up on the web. And so one was offering to sell more of them, a group called the Shadowbrokers. This was from the NSA's tailored access operations group. That's right.
Starting point is 00:13:19 They came right out of tailored access operations, which is the corner of the NSA. It's been renamed since that basically broke into foreign systems. Now, the response of the NSA was not to confirm that these weapons even belonged to the United States. But sooner or later, they got broken up and shot back at us and our allies. The Wanukry attack that North Korea did against the British health care system, which may have been an unintended target last summer, was, in fact, a U.S. developed weapon that got out there, and the NSA sort of raced out to warn Microsoft to patch it.
Starting point is 00:14:02 But by the time Microsoft did that, and since a lot of these systems around the world are old, the patch didn't really do much good. Terrifying. The other thing that genuinely surprised me about the development of these weapons was that it's largely done by outside contractors in the same way that the F-35 is developed by Lockheed Martin or Predator drones are made by General Atomics. It's like I can't believe that we just throw... these tools or the development of them to contractors at Booz Allen, which is not coincidentally
Starting point is 00:14:33 probably where Edward Snowden worked. It's where Edward Snowden worked. It's where other people who have been arrested by the FBI in recent years worked, including Hal Martin, who was an NSA. It worked at the NSA, worked other places as well and was found hoarding a lot of these documents inside his house. Some people believe that those documents somehow found their way to the Russians as well and that that may have been one of the sources for Shadowbrokers. It's not at all clear that Mr. Martin even knew that was happening. So, yes, this gets sent out to contractors the way building satellites get sent out to contractors or building aircraft parts get sent out to contractors. And frankly, it's the contractors who can pay the best computer talent a lot more money than the U.S. government can.
Starting point is 00:15:26 Right, right. Let's talk about a place a lot of these cyber weapons seem to have ended up somehow or the other, which is Iran. You write about two highly sensitive efforts against Iran that I presume are or assume our covert action programs. One is called Olympic Games, which is designed to sabotage their nuclear weapons program. The other is called Nitro-Zuse, which is essentially a massive cyber attack designed to take Iran. power grid offline if we go to war with them. I want to say for the record that I am not and
Starting point is 00:16:06 cannot confirm or deny any of this reporting. If these programs exist, I was not read into them. I think it will be clear why I want to be clear about that faction a little bit. But the book quotes General Michael Hayden, who ran the CIA and NSA for Bush saying that, quote, the early days of cyber weapons had the whiff of August 1945, which is referencing the atomic bombs dropped on Hiroshima and Nagasaki. That is a stark comparison. What did he mean by that quote? and why does so much of this story start with Iran? Well, it starts with Iran because the first of those two operations that you discussed, Olympic Games, actually happened.
Starting point is 00:16:40 The second of those programs, Nitro Zeus, was designed and put on the shelf, but never happened in part because the 2015 nuclear agreement between the United States and Iran and other powers basically lowered the temperature enough that nobody had to go think about going into any kind of open conflict with Iran and the Israelis sort of backed off from their threats to Iran. Now, President Trump, of course, has walked away from that agreement, so it's entirely conceivable that at some point in the future, Nitro-Zus will be dusted off the shelf and updated. So let's talk about what these two were. Olympic Games was the U.S. code word for the attacks on the Natanz nuclear enrichment site.
Starting point is 00:17:27 And this is the story that I told in a previous book called Confront and Conceal and wrote about in the times when that book came out in June of 2012. So it's a six-year-old story. And it led to a four-year-long leak investigation. That's the one that you got caught up in, but you weren't the only one, Tommy. There were probably more than 100 people, well more than 100 people who were interviewed to try to go figure out who. was the source of this. It was, to my mind, a ridiculous enterprise because this program involved many countries in many places around the world, and there was an assumption by the FBI that all of the knowledge of it had to come from within, you know, three blocks of the White House, which was
Starting point is 00:18:15 pretty silly from the beginning. And the book actually goes into my discussions with the now deceased head of the Mossad, which came after we had published the details of Olympic Games. But obviously the Israelis were big players in all of this. So Olympic Games was the whiff of 1945, as General Hayden suggested, because it was the most sophisticated cyber attack the United States and its allies had ever conducted, or at least that we ever knew about, against another state. And it basically got into the coding of the computer controllers that ran the centrifuges which enrich uranium underground in Iran. And these enrichment devices are these giant floor-to-ceiling centrifuges
Starting point is 00:18:59 that spin at supersonic speeds. And basically the codes sped them up or slowed them down until they exploded. It became unstable. And you don't want to be anywhere near a centrifuge when it explodes. No. It's like the biggest hand grenade you ever saw. Whipping radioactive material in your face. Yeah, whipping radioactive.
Starting point is 00:19:19 It's low-level radioactivity, but it's a real mess. and the explosion itself can finish you off. The explosion of the centrifuges, which are just giant metal canisters. So this program slowed the Iranians down, but more importantly, I think it had a significant psychological effect on the Iranians because it showed them that the United States was somehow deep inside, and the Israelis were deep inside their systems. and I think shook their confidence that they could ever finish the project of building a nuclear weapon. Right. And so while politicians frequently say it was the sanctions that drove everybody to the table,
Starting point is 00:20:02 I think it was a mix of the sanctions and the sabotage. And we should be clear, like a nuclear facility in Iran isn't on the Internet. There's not some guy like going to ESPN.com who you can just target so he downloads this illicit software. This is a unbelievably carefully designed amount of code, and you have to find a way to get it via some individual probably to a computer that is air-gapped from the Internet that is literally completely set apart from the broader networks, right? That's right. Somebody has to actually walk the USB across that air gap. People call that sneaker net and put it in. Now, we discovered from the Snowden documents that there was another program, a CIA and NSA program, that would actually allow you to beam some code over that air gap into a computer system that had been previously implanted with a piece of hardware that would receive the code using low-level radio waves.
Starting point is 00:21:13 And I described this in the book. That would be another way of bridging the air gap. And it also gives you a sense of what kind of damage Snowden did. People think of Snowden for his revelations about privacy, and we can debate here how revelatory those really were. To my mind, going through the troves of documents, the biggest revelations were really about NSA and British techniques for breaking into foreign systems and programs in which they did exactly that. Yeah, I would agree with you. And what was fascinating I thought in the book is you mentioned Mayor Deghan, the former Mossad head, who you talked to for the book. It seemed like a lot of this work was designed to show Bibi Netanyahu that there was a way to prevent Iran from getting a nuclear weapon short of bombing them and was really used as a way, almost internally, by the national security team in Israel to prevent him from going to war.
Starting point is 00:22:12 And I would say by the national security team you worked for. I mean, I think that both the Bush administration and the Obama administration knew that they couldn't simply say to the Israelis, don't worry, we've got this in hand. You don't really need to bomb. And the Israelis came very close to bombing on many occasions. But President Bush, before the Obama team came in and took office, believed that getting this program going between the two countries gave them an opportunity. gave them an opportunity to say to Netanyahu, look, it's not like we're simply telling you to hold back. We have a covert program. Give it some time to work.
Starting point is 00:22:51 And do you think he was satisfied by that? Satisfied? No. We now know from the memoirs and speeches of people like Ehud Barak and others who were around Netanyahu that on two or three occasions, they came very close to ordering the bombing anyway. And you may recall during the Obama first term, there were some moments when there was a lot of fear inside the NSC, inside the White House that the Israelis were, in fact, about to take action. Yeah. And they like to brief it to some of their reporters that was going to happen in six months or 12 months or what happened or what have you. That's right.
Starting point is 00:23:30 So reports about Stuxnet dribbled out. And I will let you explain this sort of complicated way that that happened. but a couple years later you published a book called Confront and Conceal that you mentioned earlier that included a whole bunch of new detail. And that book was explosive in Washington. You had John McCain and other senators accusing the White House of deliberately leaking this information to show how tough Obama looked. The incident was ultimately referred to the Department of Justice, which opened a leak investigation that was led by none other than our new friend Rod Rosenstein, who is now the number two at DOJ. And then, I mean, if we're being honest, you and I didn't really talk for us.
Starting point is 00:24:06 while. I was not allowed to talk to any of my colleagues about this investigation. I had to get a lawyer, get interviewed by the FBI. Even though it was literally my job to talk with you, I just didn't want to, even though this investigation was ongoing. It just felt like it could create more legal jeopardy. I mean, you write about it all in the book and about an individual named Haas Cartwright, who was ultimately targeted. I just thought it might be interesting for us to finally talk about this fucking nightmare period that we both went through during this league investigation. Tommy, I thought you weren't talking to me because I had said something rude along the way.
Starting point is 00:24:43 I don't understand. No, my high-price lawyer said something very frightening and I went from there. I'm sure. Well, you know, this gets to one of the central problems I had. I had many problems with this leak investigation. The first I've already alluded to, which is there were lots of different sources as I indicated in that previous book for the story of Olympic Games. There were Germans involved. There were British involved. There were a lot of Israelis involved. There was a lot of physical evidence that
Starting point is 00:25:13 you could go see. You could go talk to the IEEA inspectors, the international nuclear inspectors, and they could tell you about the damage they saw that was done to the centrifuges when they visited the Iranian facilities. So there were a lot of ways to piece this whole thing together. Including the code itself, right? And there was the code. So the code got out, not because anything any enterprising journalists did, but because someone screwed up. Right. And one day in 2010, and you may remember these days in the summer of 2010, the code started replicating in networks around the world.
Starting point is 00:25:48 And there was a big meeting inside the Situation Room, which I recounted in that book, that in which Leon Panetta, General Cartwright, many others presented to President Obama. what was going on, and they had to decide whether to try to end the program. And actually, President Obama decided to continue the program for a while figuring that even the Iranians were having a hard time figuring out what was going on, which I think was the right decision. I had gone to the administration, and I think you may remember this, before I published the book, and said, look, I'm going to be writing about this very sensitive program, and I did what responsible journalists, I think, do, which is explain that to you,
Starting point is 00:26:30 said I was willing to go sit down and spend time with anybody you wanted to designate. I asked it to be somebody who was non-political and that I would describe what I had. And if there was something that the government believed was going to cause somebody's death, harm, harm to an imminent operation, we could talk about it. It would be my decision and the New York Times' decision, more importantly, what we would publish or not. but we wanted to hear about that. And that set up a process, which I describe in the book, in which Mike Morel, who was the deputy director of the CIA and I met on several occasions, he had a couple of requests. They were mostly about technical details.
Starting point is 00:27:14 I think we were able to satisfy most of them. And I went off to see General Cartwright, who had been responsible for a lot of cyber operations in the United States and whose outside judgment I trusted. on these issues. And I think he genuinely believed, and I think he was part of this effort to try to say, David, you know, the things that you would do here in X, Y, and Z could be truly damaging. And that requires having a real discussion. And ultimately, when the FBI came around, he made the mistake, I think, of not having a lawyer present. And the FBI maintains that he wasn't honest with them about when he met me and so forth. There was a lot of email traffic. You know,
Starting point is 00:27:58 just setting up meetings. And he was ultimately pled guilty to lying to the FBI. He was never charged with actually leaking any information, and he never did leak any information. By the time I saw him, it was very late in the process of producing that book. So it was the basic story had already been written. He ultimately was pardoned by President Obama in the last days of the Obama administration. And I think there's some question about whether the president fully, understood prior to that time that Cartwright was really just trying to join in the effort
Starting point is 00:28:34 to sort of say it's important we keep this part secret for future harm. Yeah. I mean, again, I was not privy to that kind of program because why would I be? I was a press person. But you had to set up some of the meetings I had where I talked to people who were privy to that program. I set up, you know, you, the way this process worked was you would reach out to someone like me and say, hey, I'm reporting on X, Y, and Z, and I would run it up the chain.
Starting point is 00:28:56 and then I would figure out, well, should you talk to Michael Morel or John Brennan or Dennis McDonald? Like, who is the right person to walk through this or someone at the NSA? And then ultimately when, you know, you were about to publish the book, I think you sent us a pretty thorough rundown of what we should expect to read about to be prepared for. And I, you know, did the same process then. I mean, I think the thing that was always surprising to me about the sleek investigation
Starting point is 00:29:21 was so much of what was reported the existence. of Stucknet, which the government maintained, damaged their ability to manage Iran's nuclear program, had been out there for a while. And then what was in the book was additional detail. It didn't seem like it added more harmful elements as much as it just rounded out this story. So it was bizarre to me sometimes that it was such an intense leak investigation. That's right. And the detail was mostly the deliberations within the Obama administration about how to deal
Starting point is 00:29:56 with the fact that this code had gotten out. And I think what set off the investigators was the discussions that took place inside the situation room and so forth. Because we had printed in the newspaper a lot of the details of the code before, and that didn't prompt any investigation at all because, as I said, the code was circulating around the world. But you also can't take the position that just because something's discussed in the situation room is necessarily off limits. I mean, if you go back and you read Bob Gates's very good memoir
Starting point is 00:30:30 of his time as Secretary of Defense, first for George Bush, and then for Barack Obama in the first two years of the administration, it's full of situation room conversation. Yeah, absolutely. Yeah. I mean, like, because something's discussed in a situation doesn't make it inherently classified, it has to do with the subject matter. Ultimately, it's just a, it's a conference room. But from my perspective, I mean, once this leak investigation started, Kathy Rumler, the White House counsel helped me get an attorney who was a friend of hers who did it pro bono, thank God, because I couldn't have afforded it. But, you know, I wasn't allowed to talk to Ben Rhodes, who I shared an office with who was also dealing with this specific leak investigation. And it was this very weird, very isolating time and process. I always wondered what it was like for you on the other end of this. I mean, did the New York Times bring you lawyers? And did you end up having to talk? to the FBI, or did you guys say, fuck off? First Amendment protects me here. So we did have lawyers who, fortunately, the New York Times paid for, and the Times has a superb legal department because obviously we write a lot of sensitive national security-related
Starting point is 00:31:36 stories and sensitive stories that aren't about national security. And those lawyers help us shape the stories before they are published to make it a little bit harder for the government to go after your sources. They'll help us shape how we describe whose sources were. They will help us construct it in such a way. And there's a good example in the book of this when we get to the program that happened long after you left Washington to undermine North Korea's missile program. We can get to that in a moment. In the end, the FBI and the Justice Department never subpoenaed our notes, my notes.
Starting point is 00:32:17 I think they didn't want to get into an open First Amendment file. with the New York Times. I don't know that for a fact. Rod Rosenstein could give you a better sense of that. And you'll remember that in the second term, the administration was getting a little sensitive to the charge that they had already pursued more leak investigations than all previous presidents added up together.
Starting point is 00:32:41 You mentioned that North Korea, so-called left-of-launch program. That was a revelation that I read about after I left, the White House that you talk about in the book, where essentially somehow the military was able to use cyber tools to prevent a missile from ever achieving orbit or taking off? How the hell does that work? Yeah, so that's pretty fascinating. So, you know, the traditional missile defense is somebody launches a missile. We launch an anti-missile system from Alaska or from California.
Starting point is 00:33:24 you hope to hit the missile in space. It's called a bullet hits a bullet. Even in the best testing conditions, the performance is around 50%. So President Obama recognized that he needed to improve those numbers. And a good deal of the program that he asked the Defense Department and the intelligence agencies to step up in meetings in January of 24. were already underway under this rubric of left of launch. And that means before a launch happens. And a left of launch program can be everything from feeding a country bad parts.
Starting point is 00:34:07 You know, the welding isn't done right so that something will go wrong. The software has got some errors in it. All kinds of things like that. To what happened here, which was in addition to those steps, a cyber and electronic warfare effort. to try to make sure that if the missile got launched, it sort of went harmlessly into the sea. And what got us going on this was a recognition that when Kim Jong-un began in late 2015, early 2016,
Starting point is 00:34:39 to start launching the Musadon missile and intermediate range missile. Very well-tested, mature missile system that basically came out of an old Soviet design. they had a failure rate in North Korea of about 88%. Wow. And my colleague Bill Broad, who you may remember and I were talking about this one day and we said, that's just too high. Yeah.
Starting point is 00:35:02 And sure enough, after we spent months of digging in, we actually found congressional testimony, on the record, congressional testimony about the left of launch programs. Didn't specifically say North Korea, but some of the contractors who submitted, you know, were making presentations at conferences, had big pictures of North Korea and a smiling Kim Jong-un at one end of it, you know? Very subtle, yes. It wasn't exactly a great subtle secret about where they were aiming this. And the more we dug in, the more we found out about the nature of this program.
Starting point is 00:35:39 And then we ended up publishing the story early in the Trump administration. And I had to go back to the Trump administration and explain to them that we'd already talked to the intelligence community about this in the last days of the Obama administration. And that was a fascinating experience because it was just as General Flynn was getting fired and H.R. McMaster was coming in. These things seem a million years ago now, right? Yeah, they really did. And we had to basically bring them up to date on the program because they hadn't been fully briefed already. And then they would go off and come back with a set of requests for us as well. But it was clear that they didn't have a really strong handle on this yet.
Starting point is 00:36:22 Jesus Christ. Well, I guess that's not surprising. Also interesting that the secrecy around a lot of these programs is inconsistent at best. But just to step back and do a little bit of big picture, I mean, you talk about the efforts against Iran's nuclear program. You talk about, you know, plans to essentially take down Iran's power grid. If there's a war, there's a low grade all the time cyber warfare with China. I mean, it just seems like this is the new normal, right? I mean, you have people like Leon Panetta, the former Secretary of Defense, former CIA director, saying that, you know, a massive cyber attack is the new Pearl Harbor. And we really did see that play out when Russia invaded Ukraine. And the first wave of attacks aren't bombs dropping on the city
Starting point is 00:37:08 now. It's cyber attacks on a power grid or a massive propaganda effort to show confusion. Is that the future of warfare? It's not the future of warfare. It's the today of warfare. Right, right. It's already happened. It's just many people haven't caught up on this. And one of the big themes of the book is that while there are criminal hacks and the things that, you know, go after your credit card numbers and all that, in fact, frequently, you are just the collateral damage in a state-on-state cyber war that you're not even aware is happening.
Starting point is 00:37:43 So, Tommy, you had to get your security clearance. You had to fill out an SF-86 form, this enormously long form that listed every medical procedure you'd been through, all of your finances, every relationship you'd ever been in, every foreign friend you had. Don't forget the drug use. All past drug use, right. All of this had to be in there. It's a good thing they didn't go after the drinking, Tommy. have been really ugly. All of the above.
Starting point is 00:38:14 And that's right. And there were 22 million of these stored up in the Office of Personnel Management, the most boring bureaucracy in Washington. They were never encrypted. Unbelievable. They were never really given significant security. They were stored on the computers of the interior department because they had extra computing space.
Starting point is 00:38:36 So they were getting the same protection. They were protecting your medical and drug use records with the, you know, and the, you're records of like bison migration in Yellowstone. Great, yeah. And what do you know the Chinese took all of it? Yeah. And they encrypted it as they sent it back to China so that we wouldn't see what they were sending back. Massive incompetence.
Starting point is 00:39:00 And that information is, provides the keys to blackmail anyone who didn't want that information that they put in that form disclosed. But also, even worse, because a lot of our CIA guys work under. cover abroad, it also helped the Chinese intelligence services sort out who was there under a fake cover. So this was a disaster of epic proportion that was never really given its due, I think, in the press in terms of what a fuck up it was. Right. So, I mean, I wrote a lot of front page stories about it. I'm not sure how many people paid attention to those. And I wasn't the only one who was doing it.
Starting point is 00:39:33 I read them. But the fact of the matter is that President Obama never came out and publicly identified the Chinese as the one responsible here. And never. did anybody in the U.S. government take responsibility for the bigger implications which you had just right here, and people had their assignments to China, canceled, rescheduled, and so forth. No one took responsibility for it because no one wanted to admit that the Chinese had all of this. And one of the big themes of the book is, and I think one of the parts of the book that is most critical of your former colleagues in the Obama administration, is that they consistently failed to name the people who were doing these attacks.
Starting point is 00:40:16 So before the Russians went into the DNC, they attacked the White House, the State Department, the Joint Chiefs of Staff, and they never paid a price for it. So Vladimir Putin thought, well, they may have tried to throw us out of the State Department and White House systems, but they never really punished us for it. Why is he going to hesitate going into the DNC, which is a lot less sensitive than, say, the White House systems. Yeah. And I thought you nailed why that there's some hesitates sometimes to name who did these
Starting point is 00:40:50 things because the intelligence services simply want to preserve their access to these systems and to be able to identify who is doing what in China or Russia or what have you, whereas law enforcement wants to prosecute or deter and the politicians or the political staff want to be able to show the American people that were actually doing something about it. So it is a complicated, fraught mess in every instance, and there's no rules of the road because, as you've written about, this is like a decade-old technology. Well, also there are no rules of the road because it's probably the most over-classified territory that you can possibly imagine. Yeah, and that's saying something. And I don't think that's necessary.
Starting point is 00:41:30 I mean, in the nuclear age, every detail about how you built a nuclear weapon or where we kept them or who had authority to, you know, press the button. Those were kept classified. But we managed to have a rip-roaring, very public debate about how to use nuclear weapons. And it ended up in a completely different place than it started because in the 50s, MacArthur wanted to use nuclear weapons against the North Koreans and the Chinese. Eisenhower said, though I don't think he believed, it was just another bullet in our arsenal. And we ended up by the 80s when President Obama was in college and writing about the ban the bomb. movements and so forth, that we would only use nuclear weapons as a matter of national survival.
Starting point is 00:42:15 That's a completely different picture of how you would use it and why President Obama wanted to reduce their role, as he said consistently in American defenses, right? That was a result of a very public debate. We have never had the equivalent debate about cyber, in part because the government doesn't want to have the debate so they won't discuss our capabilities, they won't discuss our intentions, and most importantly, they won't discuss what's off limits. I mean, you and I could put together a pretty good list, I think, over a beer of things you wanted to be off limits to cyber attack around the world.
Starting point is 00:42:56 Hospitals, right? Election systems, emergency services, nursing homes. I mean, elementary schools. We could come. Yeah, the Hoover Dam, right. We could come up with these. If we came up with this and call me out on this, Tommy, if you think I'm wrong. Let's say we put together that list.
Starting point is 00:43:15 And then you circulated it in what in your previous life they called the interagency, right? The intelligence agencies would come back and say, well, wait a minute. Do we really want to do this? I mean, we had to interfere in elections in Italy in the 1940s to keep it from going communist. We interfered in elections in Latin America in the 50s and 70s. 60s, we ran a coup in Iran in the 1950s. Nitro-Zus, the program I talked to before, if you take out an entire country's power grid to try to win a war without firing a shot, you're necessarily going to hit hospitals and nursing homes and elementary schools. So I'm not sure that the U.S. government would actually sign on to those restrictions.
Starting point is 00:44:01 Yeah, you're right. David Sanger, I agree with you that there is far too little discussion and debate about these issues. A great place to start is by buying the perfect weapon, war, sabotage, and fear in the cyber age. And to read all of your stuff on the New York Times site because you guys are doing great reporting. Thank you for talking with me about the book. I could go on all day, but, you know, she should probably stop at an hour. Well, you know, Tommy, I'm sorry we made you go out and hire a lawyer. I feel really bad about it.
Starting point is 00:44:29 So if you ever make it back into D.C., the first drink is on me. That's great. And by the way, it was pro bono of us. So don't feel that bad. Oh, okay. Feel bad for the guy Zuckerberg Spader who had to deal with me
Starting point is 00:44:39 for like a couple months. Thank you, Eric Dillinski. By the way, my lawyer, pro bono. You're the best. Sanger, thank you again. And I will take you up on that beer the next time in D.C.
Starting point is 00:44:50 And congrats on a hell of a good book, man. Thank you very much, Tommy. The episode is over. Delete it. Download it again. Give me two listens. Thanks for tuning in.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.