Pod Save the World - Cyber war
Episode Date: June 29, 2018Tommy talks with New York Times reporter David Sanger about the new world of cyber warfare. From North Korea's attack on Sony to targeting of Iran's nuclear program and Russia's invasion of Ukraine, c...yber attacks are increasingly used first in war even though there's no rules of engagement and little public debate.
Transcript
Discussion (0)
Welcome back to Pod Save the World. Thank you guys for tuning in this week. The conversation I had today is about cyber warfare. We touch on attacks against Iran's nuclear program, North Korea's missiles, and Seth Rogan. Yes, it is confusing. It is complicated, but it is enormously important because these are the weapons of the future, and we are going to have to deal with this sooner than we hope. My guest is David Sanger, he's one of the smartest reporters out there, and I believe you are going to enjoy the conversation. So here it is.
guest today is a gentleman named David Sanger, who is the National Security correspondent and senior
writer for the New York Times. He's the author of the new book, The Perfect Weapon, War,
Sabotage, and Fear in the Cyber Age. David, we have known each other a very long time. It is
funny to be on the other end of interviewing you, and I'm very excited that you're here today.
Well, thanks, Tommy. We have known each other for a long time, and it's probably just as well that
your listeners don't know the details.
Yes, that's exactly right.
And it's probably pretty good that I'm no longer in government and privy to classified
information because it seems like you have managed to dig up some fascinating, sensitive
stuff in here.
And the last time we worked together on a book that included that kind of information.
We both ended up getting lawyers and I got interviewed by the FBI.
But I want to dig into that story later and first start with the obvious place, which is
by talking about Seth Rogan.
Now, I suspect no one in the White House, the NSA, the Pentagon, or probably in Hollywood,
expected Seth Rogen to be the center of a debate about the future of global warfare.
But that's what happened.
It started with a release of a movie called The Interview.
Can you remind us all why that movie so thoroughly pissed off the North Koreans and what they did in response?
Well, let's start with the obvious and most important fact here.
This was a truly terrible movie.
Okay.
That's outrageous.
There's an anecdote in the book where you have Obama getting briefed on the attack in the Oval Office.
And some unnamed official says, I never thought I'd be in here briefing you on a bad Seth Rogen movie.
And Obama says, how do you know it's a bad movie?
And this unnamed staffer says, because, sir, it's a Seth Rogen movie, which is bullshit.
Super Bad is Great.
This Is The End is hilarious.
I enjoyed the interview.
I was offended by this.
You were.
Well, you see, what happened when you left the White House, everything fell apart, including their movie taste.
People with good taste moved in, okay.
Right.
So what this movie envisioned, it was obviously a comedy,
and it imagined two reporters going to North Korea to interview Kim Jong-un,
and the CIA engages them and tries to get them to basically become their hitmen
to kill Kim Jong-un at some point during the interview or after it.
Now, as you know, Tommy, since you spent a career in Washington here dealing,
with journalists. If you were going to hire hitmen, would you hire journalists for that job?
Probably not, no. Yeah, unrealistic. Yeah, probably the least competent people I can think of, having been
around journalists and been a journalist for a long time. So the North Koreans heard about this
plot line even before the movie came out. And so they did the only reasonable thing that you would do
if you wanted to stop a movie from coming out in Hollywood, which is they wrote a letter to the
Secretary General of the United Nations.
because you know just how influential he is with the Hollywood crowd.
And when that predictably failed, they had their hackers burrowed deep into the Sony systems.
This was 2014.
And they were very patient.
They did what good hackers do.
They spent months mapping out the system, figuring out what was connected to what and how they could do the most damage to the system.
While a lot of people only vaguely remember the Sony hack, and if they do probably remember it for a series of emails that suggested that Angelina Jolie was difficult to work with on the set.
Oh, right.
In fact, the import of the Sony hack was that it melted down about 70% of Sony's computer systems.
Wow.
And interesting question, it's completely paralyzed Sony Pictures Entertainment.
They had to go write their paychecks at the end of the week using like these old.
paycheck machines from the 60s and 70s. So they were completely fried. And that was one of the first
truly destructive hacks. The United States, of course, had done one against the Iranians.
That was the one for which I wrote some in the last book. That's the one that got you that
visit from the FBI, Tony. Sure did. Tommy, which we can come back to in a little bit.
But this particular hack was remarkable because it was against a private company.
And the debate that took place in the White House was, was this an act of war?
Right.
How do you respond to this?
Right.
And it's kind of a fascinating question because supposing for a minute that the North Koreans did not have access to cyber.
And instead, they had landed a bunch of commandos at Long Beach and called an Uber and gone up to the Sony studios.
you know, remarking to each other that they couldn't imagine that much traffic in the world, right?
Because they come out of North Korea. And then they joined the studio tour. And then they stick some dynamite
underneath the computer center and they run like hell and hang out in a bar.
If they had done that and the computer center had been blown sky high and you would have seen
photographs or a video on CNN of it burning in front of the Hollywood sign, any American president would have been forced to go make something blow
up in Pyongyang, I'm fairly well convinced. I'd be interested in your view on that. Instead,
because they did it in a purely cyber way, there was no equivalent outrage. And the president,
President Obama in the end, denounced them and put on some sanctions that I doubt the North
Koreans ever even noticed amid all the other sanctions that had been put on North Korea.
Right. And it's funny, you're not being hyperbolic. I mean, you were reporting from inside
the room where this was debated. And Obama ultimately called this an act.
of cyber vandalism, but other national security officials said that this was the equivalent
of planting a bomb inside Sony. But a complicating factor here is determining exactly who
conducted a cyber attack, but then figuring out how to respond because apparently, according
to your book, the only way to get into North Korea's networks to respond with an attack
of our own was going through China, which could make the Chinese feel like we were attacking
them. So this is not a simple policy response debate either. And it wasn't the only time. We
You had times when we wanted to go after ISIS, where the debate was, could we go through German networks without telling the Germans?
Because a lot of the ISIS recruiting material was stored in the cloud in German systems.
So this has been a very big issue across many years.
And it gets to a big theme of the perfect weapon, which is you can have the greatest cyber weapons on Earth.
And the United States still does.
but you're going to be hesitant to use them if you believe that your system is so vulnerable,
your systems are so vulnerable, that somebody's going to be able to go strike back.
And because the U.S. is the most connected nation on Earth, we're nothing but vulnerabilities.
And every time we create another internet-connected refrigerator or another internet-connected autonomous car,
we're actually increasing the target space.
Right, right.
And I want to start with North Korea because you don't hear North Korea.
Korea and think tech savvy country full of young hackers. It's a closed-off society. They don't
have kids growing up on the internet and just figuring stuff out. So they had to work at it. And it
happened slowly under Kim Jong-il, who would have North Korea's UN employees enroll in computer
science classes while living in New York, a very subtle move that was quickly noticed by the FBI.
He also dispatched engineers to Russia and China for training. But when Kim Jong-un assumed power,
he really hit the gas, right? So how good are the North Koreans now and how
How did they progress so quickly?
Well, if you had to rank countries right now after, you know, the United States, Britain,
Israel, or among the best, I'd say you'd probably say the Russians are the best, the Chinese
right behind them, and the Iranians and North Koreans after that.
And then there were a lot of upcoming countries because we think they're between 30 and 40
countries that now have a sophisticated cyber capability.
And Tommy, when you and I were jousting over this stuff six, seven years ago, when you were
still the White House, I would guess there were maybe three or four countries, five countries
that had that kind of capability.
So it gives you a sense of the speed at which this proliferation has taken place.
The reason that's happened and the reason the North Koreans have gotten good is that the price
of entry is just dirt cheap.
If you want to build nuclear weapons, you need plutonium, you need uranium, those aren't
so easy to get in refined form.
then you need to have, you know, multi-million, if not multi-billion dollar facilities to be able to turn that fuel into a bomb and develop the missiles to go deliver it.
If you want to build a good cyber force, you need some laptops, you need some young coders, you need to be able to spread them around the world so they have lots of access to the Internet and can hide their whereabouts.
And you need a couple of cases of Red Bull.
And that combination is about the totality of the cost.
So when I called this book the perfect weapon, it's because it's the perfect leveler for smaller states that want to come up with a way to have a short-of-war attack on a much larger state, especially the U.S.
Yeah, it's the perfect asymmetric warfighting tool.
Stepping back a bit, I think, I imagine reporting on cyber warfare probably mirrors the difficulty in development.
policy around it because it feels very hard to define for me. Like, for example, I know what
nuclear proliferation means. It means building more nuclear missiles. I know what a missile is or a
tank or a fighter jet. I can define what those weapons are. I can't really define in my own head
what a cyber weapon is. Can you explain it or is it amorphous? No, I think you can't explain it.
A cyber weapon is based on a vulnerability in somebody's code. And since we now have so much code
around the world, running your iPhone, running your PC, running industrial controllers, running
nuclear power plants. Whenever there's coding, there's going to be errors in coding, mistakes
that allow somebody to get in, that allows somebody to manipulate the system. If these errors have
never been found before, they're usually called zero-day flaws. And that means you have zero
days of warning that this is a vulnerability to you. You're first going to discover it when it happens.
And you may remember from your time back in the NSC that a process was built at the White House
to begin to evaluate when these vulnerabilities came up and came to the attention of the U.S.
government or when they went out to go by vulnerabilities. Do we report this to industry?
You know, warn Microsoft and Google and all those that this flaw is there so that they can
patch it and protect all of us? Or do you keep it and tuck it away in your arsenal and build a
weapon around it that exploits it so that you have a weapon that you can use against someone else?
And if you believe the reporting that the NSA and others had, they kept about 10% of all the
flaws plus or minus and they reported to industry 90%. Wow, that surprises me. Now, it surprises you,
which way? That they would hold on to so many. I mean, it feels like that's a
It is a pretty big risk. On the other hand, they felt that if they didn't hold on to anything,
they were basically unilaterally disarming because the Russians and the Chinese are looking for
these flaws as well and the Iranians and the North Koreans and the North Koreans and teenagers who
are hoping to sell these flaws on the open market and you can make a lot of money doing it.
So they felt that if they didn't do that, they were basically surrendering in the war.
Right.
Now, then once you have the vulnerability, then you build your weapon around that vulnerability.
Now, part of the book goes into something that happened, you'll be glad to know, after you left the White House,
which is that we built up this big arsenal of weapons.
Imagine a storehouse of cyber weapons, the way you'd have a storehouse of, say, missiles.
And then someone broke in or an insider slipped them out, and all of a sudden in the middle of the summer,
of 2016, some of these weapons started showing up on the web.
And so one was offering to sell more of them, a group called the Shadowbrokers.
This was from the NSA's tailored access operations group.
That's right.
They came right out of tailored access operations, which is the corner of the NSA.
It's been renamed since that basically broke into foreign systems.
Now, the response of the NSA was not to confirm that these weapons even belonged to the United States.
But sooner or later, they got broken up and shot back at us and our allies.
The Wanukry attack that North Korea did against the British health care system,
which may have been an unintended target last summer,
was, in fact, a U.S. developed weapon that got out there,
and the NSA sort of raced out to warn Microsoft to patch it.
But by the time Microsoft did that, and since a lot of these systems around the world are old,
the patch didn't really do much good.
Terrifying.
The other thing that genuinely surprised me about the development of these weapons was that
it's largely done by outside contractors in the same way that the F-35 is developed by Lockheed Martin
or Predator drones are made by General Atomics.
It's like I can't believe that we just throw...
these tools or the development of them to contractors at Booz Allen, which is not coincidentally
probably where Edward Snowden worked. It's where Edward Snowden worked. It's where other people who
have been arrested by the FBI in recent years worked, including Hal Martin, who was an NSA.
It worked at the NSA, worked other places as well and was found hoarding a lot of these documents
inside his house. Some people believe that those documents somehow found their way to the Russians as well
and that that may have been one of the sources for Shadowbrokers. It's not at all clear that Mr. Martin even knew that was
happening. So, yes, this gets sent out to contractors the way building satellites get sent out to
contractors or building aircraft parts get sent out to contractors. And frankly, it's the contractors
who can pay the best computer talent a lot more money than the U.S. government can.
Right, right.
Let's talk about a place a lot of these cyber weapons seem to have ended up somehow or the other,
which is Iran.
You write about two highly sensitive efforts against Iran that I presume are or assume
our covert action programs.
One is called Olympic Games, which is designed to sabotage their nuclear weapons program.
The other is called Nitro-Zuse, which is essentially a massive cyber attack designed to take Iran.
power grid offline if we go to war with them. I want to say for the record that I am not and
cannot confirm or deny any of this reporting. If these programs exist, I was not read into them.
I think it will be clear why I want to be clear about that faction a little bit. But the book quotes
General Michael Hayden, who ran the CIA and NSA for Bush saying that, quote, the early days
of cyber weapons had the whiff of August 1945, which is referencing the atomic bombs dropped on
Hiroshima and Nagasaki. That is a stark comparison. What did he mean by that quote?
and why does so much of this story start with Iran?
Well, it starts with Iran because the first of those two operations that you discussed,
Olympic Games, actually happened.
The second of those programs, Nitro Zeus, was designed and put on the shelf,
but never happened in part because the 2015 nuclear agreement between the United States
and Iran and other powers basically lowered the temperature enough that nobody had to go think
about going into any kind of open conflict with Iran and the Israelis sort of backed off from
their threats to Iran. Now, President Trump, of course, has walked away from that agreement,
so it's entirely conceivable that at some point in the future, Nitro-Zus will be
dusted off the shelf and updated. So let's talk about what these two were.
Olympic Games was the U.S. code word for the attacks on the Natanz nuclear enrichment site.
And this is the story that I told in a previous book called Confront and Conceal and wrote about in the times when that book came out in June of 2012.
So it's a six-year-old story.
And it led to a four-year-long leak investigation.
That's the one that you got caught up in, but you weren't the only one, Tommy.
There were probably more than 100 people, well more than 100 people who were interviewed to try to go figure out who.
was the source of this. It was, to my mind, a ridiculous enterprise because this program involved
many countries in many places around the world, and there was an assumption by the FBI that all
of the knowledge of it had to come from within, you know, three blocks of the White House, which was
pretty silly from the beginning. And the book actually goes into my discussions with the now
deceased head of the Mossad, which came after we had published the details of Olympic Games. But
obviously the Israelis were big players in all of this. So Olympic Games was the whiff of
1945, as General Hayden suggested, because it was the most sophisticated cyber attack the United
States and its allies had ever conducted, or at least that we ever knew about, against another
state. And it basically got into the coding of the computer controllers that ran the centrifuges
which enrich uranium underground in Iran.
And these enrichment devices are these giant floor-to-ceiling centrifuges
that spin at supersonic speeds.
And basically the codes sped them up or slowed them down until they exploded.
It became unstable.
And you don't want to be anywhere near a centrifuge when it explodes.
No.
It's like the biggest hand grenade you ever saw.
Whipping radioactive material in your face.
Yeah, whipping radioactive.
It's low-level radioactivity, but it's a real mess.
and the explosion itself can finish you off.
The explosion of the centrifuges, which are just giant metal canisters.
So this program slowed the Iranians down, but more importantly, I think it had a significant psychological effect on the Iranians
because it showed them that the United States was somehow deep inside, and the Israelis were deep inside their systems.
and I think shook their confidence that they could ever finish the project of building a nuclear weapon.
Right.
And so while politicians frequently say it was the sanctions that drove everybody to the table,
I think it was a mix of the sanctions and the sabotage.
And we should be clear, like a nuclear facility in Iran isn't on the Internet.
There's not some guy like going to ESPN.com who you can just target so he downloads this illicit software.
This is a unbelievably carefully designed amount of code, and you have to find a way to get it via some individual probably to a computer that is air-gapped from the Internet that is literally completely set apart from the broader networks, right?
That's right.
Somebody has to actually walk the USB across that air gap.
People call that sneaker net and put it in.
Now, we discovered from the Snowden documents that there was another program, a CIA and NSA program, that would actually allow you to beam some code over that air gap into a computer system that had been previously implanted with a piece of hardware that would receive the code using low-level radio waves.
And I described this in the book.
That would be another way of bridging the air gap.
And it also gives you a sense of what kind of damage Snowden did.
People think of Snowden for his revelations about privacy, and we can debate here how revelatory those really were.
To my mind, going through the troves of documents, the biggest revelations were really about NSA and British techniques for breaking into foreign systems and programs in which they did exactly that.
Yeah, I would agree with you.
And what was fascinating I thought in the book is you mentioned Mayor Deghan, the former Mossad head, who you talked to for the book.
It seemed like a lot of this work was designed to show Bibi Netanyahu that there was a way to prevent Iran from getting a nuclear weapon short of bombing them and was really used as a way, almost internally, by the national security team in Israel to prevent him from going to war.
And I would say by the national security team you worked for.
I mean, I think that both the Bush administration and the Obama administration knew that they couldn't simply say to the Israelis, don't worry, we've got this in hand.
You don't really need to bomb.
And the Israelis came very close to bombing on many occasions.
But President Bush, before the Obama team came in and took office, believed that getting this program going between the two countries gave them an opportunity.
gave them an opportunity to say to Netanyahu, look, it's not like we're simply telling you to hold back.
We have a covert program.
Give it some time to work.
And do you think he was satisfied by that?
Satisfied?
No.
We now know from the memoirs and speeches of people like Ehud Barak and others who were around Netanyahu that on two or three occasions, they came very close to ordering the bombing anyway.
And you may recall during the Obama first term, there were some moments when there was a lot of fear inside the NSC, inside the White House that the Israelis were, in fact, about to take action.
Yeah.
And they like to brief it to some of their reporters that was going to happen in six months or 12 months or what happened or what have you.
That's right.
So reports about Stuxnet dribbled out.
And I will let you explain this sort of complicated way that that happened.
but a couple years later you published a book called Confront and Conceal that you mentioned earlier
that included a whole bunch of new detail. And that book was explosive in Washington. You had John McCain
and other senators accusing the White House of deliberately leaking this information to show how tough Obama looked.
The incident was ultimately referred to the Department of Justice, which opened a leak investigation
that was led by none other than our new friend Rod Rosenstein, who is now the number two at DOJ.
And then, I mean, if we're being honest, you and I didn't really talk for us.
while. I was not allowed to talk to any of my colleagues about this investigation. I had to get a lawyer,
get interviewed by the FBI. Even though it was literally my job to talk with you, I just didn't
want to, even though this investigation was ongoing. It just felt like it could create more
legal jeopardy. I mean, you write about it all in the book and about an individual named
Haas Cartwright, who was ultimately targeted. I just thought it might be interesting for us to
finally talk about this fucking nightmare period that we both went through during this league
investigation.
Tommy, I thought you weren't talking to me because I had said something rude along the way.
I don't understand.
No, my high-price lawyer said something very frightening and I went from there.
I'm sure.
Well, you know, this gets to one of the central problems I had.
I had many problems with this leak investigation.
The first I've already alluded to, which is there were lots of different sources as I
indicated in that previous book for the story of Olympic Games. There were Germans involved. There were
British involved. There were a lot of Israelis involved. There was a lot of physical evidence that
you could go see. You could go talk to the IEEA inspectors, the international nuclear inspectors,
and they could tell you about the damage they saw that was done to the centrifuges when they visited
the Iranian facilities. So there were a lot of ways to piece this whole thing together.
Including the code itself, right?
And there was the code.
So the code got out, not because anything any enterprising journalists did, but because someone screwed up.
Right.
And one day in 2010, and you may remember these days in the summer of 2010, the code started replicating in networks around the world.
And there was a big meeting inside the Situation Room, which I recounted in that book, that in which Leon Panetta, General Cartwright, many others presented to President Obama.
what was going on, and they had to decide whether to try to end the program.
And actually, President Obama decided to continue the program for a while
figuring that even the Iranians were having a hard time figuring out what was going on,
which I think was the right decision.
I had gone to the administration, and I think you may remember this,
before I published the book, and said, look, I'm going to be writing about this very sensitive program,
and I did what responsible journalists, I think, do, which is explain that to you,
said I was willing to go sit down and spend time with anybody you wanted to designate.
I asked it to be somebody who was non-political and that I would describe what I had.
And if there was something that the government believed was going to cause somebody's death, harm, harm to an imminent operation, we could talk about it.
It would be my decision and the New York Times' decision, more importantly, what we would publish or not.
but we wanted to hear about that.
And that set up a process, which I describe in the book, in which Mike Morel, who was the
deputy director of the CIA and I met on several occasions, he had a couple of requests.
They were mostly about technical details.
I think we were able to satisfy most of them.
And I went off to see General Cartwright, who had been responsible for a lot of cyber
operations in the United States and whose outside judgment I trusted.
on these issues. And I think he genuinely believed, and I think he was part of this effort to try to say,
David, you know, the things that you would do here in X, Y, and Z could be truly damaging. And that requires
having a real discussion. And ultimately, when the FBI came around, he made the mistake, I think,
of not having a lawyer present. And the FBI maintains that he wasn't honest with them about
when he met me and so forth. There was a lot of email traffic. You know,
just setting up meetings.
And he was ultimately pled guilty to lying to the FBI.
He was never charged with actually leaking any information, and he never did leak any information.
By the time I saw him, it was very late in the process of producing that book.
So it was the basic story had already been written.
He ultimately was pardoned by President Obama in the last days of the Obama administration.
And I think there's some question about whether the president fully,
understood prior to that time that Cartwright was really just trying to join in the effort
to sort of say it's important we keep this part secret for future harm.
Yeah.
I mean, again, I was not privy to that kind of program because why would I be?
I was a press person.
But you had to set up some of the meetings I had where I talked to people who were
privy to that program.
I set up, you know, you, the way this process worked was you would reach out to someone like
me and say, hey, I'm reporting on X, Y, and Z, and I would run it up the chain.
and then I would figure out, well, should you talk to Michael Morel or John Brennan or
Dennis McDonald?
Like, who is the right person to walk through this or someone at the NSA?
And then ultimately when, you know, you were about to publish the book, I think you
sent us a pretty thorough rundown of what we should expect to read about to be prepared
for.
And I, you know, did the same process then.
I mean, I think the thing that was always surprising to me about the sleek investigation
was so much of what was reported the existence.
of Stucknet, which the government maintained, damaged their ability to manage Iran's nuclear program,
had been out there for a while.
And then what was in the book was additional detail.
It didn't seem like it added more harmful elements as much as it just rounded out this story.
So it was bizarre to me sometimes that it was such an intense leak investigation.
That's right.
And the detail was mostly the deliberations within the Obama administration about how to deal
with the fact that this code had gotten out.
And I think what set off the investigators was the discussions that took place inside
the situation room and so forth.
Because we had printed in the newspaper a lot of the details of the code before, and that
didn't prompt any investigation at all because, as I said, the code was circulating around
the world.
But you also can't take the position that just because something's discussed in the situation
room is necessarily off limits. I mean, if you go back and you read Bob Gates's very good memoir
of his time as Secretary of Defense, first for George Bush, and then for Barack Obama in the
first two years of the administration, it's full of situation room conversation. Yeah, absolutely.
Yeah. I mean, like, because something's discussed in a situation doesn't make it inherently
classified, it has to do with the subject matter. Ultimately, it's just a, it's a conference room.
But from my perspective, I mean, once this leak investigation started, Kathy Rumler, the White House counsel helped me get an attorney who was a friend of hers who did it pro bono, thank God, because I couldn't have afforded it. But, you know, I wasn't allowed to talk to Ben Rhodes, who I shared an office with who was also dealing with this specific leak investigation. And it was this very weird, very isolating time and process. I always wondered what it was like for you on the other end of this. I mean, did the New York Times bring you lawyers? And did you end up having to talk?
to the FBI, or did you guys say, fuck off? First Amendment protects me here.
So we did have lawyers who, fortunately, the New York Times paid for, and the Times has a
superb legal department because obviously we write a lot of sensitive national security-related
stories and sensitive stories that aren't about national security. And those lawyers
help us shape the stories before they are published to make it a little bit harder for the
government to go after your sources.
They'll help us shape how we describe whose sources were.
They will help us construct it in such a way.
And there's a good example in the book of this when we get to the program that happened long after you left Washington to undermine North Korea's missile program.
We can get to that in a moment.
In the end, the FBI and the Justice Department never subpoenaed our notes, my notes.
I think they didn't want to get into an open First Amendment file.
with the New York Times.
I don't know that for a fact.
Rod Rosenstein could give you a better sense of that.
And you'll remember that in the second term,
the administration was getting a little sensitive to the charge
that they had already pursued more leak investigations
than all previous presidents added up together.
You mentioned that North Korea,
so-called left-of-launch program.
That was a revelation that I read about after I left,
the White House that you talk about in the book,
where essentially somehow the military was able to use cyber tools to prevent a missile from ever
achieving orbit or taking off? How the hell does that work?
Yeah, so that's pretty fascinating. So, you know, the traditional missile defense is somebody
launches a missile. We launch an anti-missile system from Alaska or from California.
you hope to hit the missile in space.
It's called a bullet hits a bullet.
Even in the best testing conditions, the performance is around 50%.
So President Obama recognized that he needed to improve those numbers.
And a good deal of the program that he asked the Defense Department and the intelligence agencies to step up in meetings in January of 24.
were already underway under this rubric of left of launch.
And that means before a launch happens.
And a left of launch program can be everything from feeding a country bad parts.
You know, the welding isn't done right so that something will go wrong.
The software has got some errors in it.
All kinds of things like that.
To what happened here, which was in addition to those steps, a cyber and electronic warfare effort.
to try to make sure that if the missile got launched,
it sort of went harmlessly into the sea.
And what got us going on this was a recognition
that when Kim Jong-un began in late 2015, early 2016,
to start launching the Musadon missile and intermediate range missile.
Very well-tested, mature missile system
that basically came out of an old Soviet design.
they had a failure rate in North Korea of about 88%.
Wow.
And my colleague Bill Broad, who you may remember and I were talking about this one day and we said,
that's just too high.
Yeah.
And sure enough, after we spent months of digging in, we actually found congressional testimony,
on the record, congressional testimony about the left of launch programs.
Didn't specifically say North Korea, but some of the contractors who submitted, you know,
were making presentations at conferences, had big pictures of North Korea and a smiling Kim Jong-un
at one end of it, you know?
Very subtle, yes.
It wasn't exactly a great subtle secret about where they were aiming this.
And the more we dug in, the more we found out about the nature of this program.
And then we ended up publishing the story early in the Trump administration.
And I had to go back to the Trump administration and explain to them that we'd already
talked to the intelligence community about this in the last days of the Obama administration.
And that was a fascinating experience because it was just as General Flynn was getting fired
and H.R. McMaster was coming in. These things seem a million years ago now, right?
Yeah, they really did. And we had to basically bring them up to date on the program because they
hadn't been fully briefed already. And then they would go off and come back with a set of requests
for us as well. But it was clear that they didn't have a really strong handle on this yet.
Jesus Christ. Well, I guess that's not surprising. Also interesting that the secrecy around a lot of
these programs is inconsistent at best. But just to step back and do a little bit of big picture,
I mean, you talk about the efforts against Iran's nuclear program. You talk about, you know,
plans to essentially take down Iran's power grid. If there's a war, there's a low grade all the time
cyber warfare with China. I mean, it just seems like this is the new normal, right? I mean,
you have people like Leon Panetta, the former Secretary of Defense, former CIA director, saying
that, you know, a massive cyber attack is the new Pearl Harbor. And we really did see that
play out when Russia invaded Ukraine. And the first wave of attacks aren't bombs dropping on the city
now. It's cyber attacks on a power grid or a massive propaganda effort to show confusion. Is that
the future of warfare?
It's not the future of warfare.
It's the today of warfare.
Right, right.
It's already happened.
It's just many people haven't caught up on this.
And one of the big themes of the book is that while there are criminal hacks and the things that, you know, go after your credit card numbers and all that, in fact, frequently, you are just the collateral damage in a state-on-state cyber war that you're not even aware is happening.
So, Tommy, you had to get your security clearance.
You had to fill out an SF-86 form, this enormously long form that listed every medical procedure you'd been through, all of your finances, every relationship you'd ever been in, every foreign friend you had.
Don't forget the drug use.
All past drug use, right.
All of this had to be in there.
It's a good thing they didn't go after the drinking, Tommy.
have been really ugly.
All of the above.
And that's right.
And there were 22 million of these stored up in the Office of Personnel Management, the most
boring bureaucracy in Washington.
They were never encrypted.
Unbelievable.
They were never really given significant security.
They were stored on the computers of the interior department because they had extra
computing space.
So they were getting the same protection.
They were protecting your medical and drug use records with the, you know, and the, you're
records of like bison migration in Yellowstone.
Great, yeah.
And what do you know the Chinese took all of it?
Yeah.
And they encrypted it as they sent it back to China so that we wouldn't see what they were sending back.
Massive incompetence.
And that information is, provides the keys to blackmail anyone who didn't want that
information that they put in that form disclosed.
But also, even worse, because a lot of our CIA guys work under.
cover abroad, it also helped the Chinese intelligence services sort out who was there under a
fake cover. So this was a disaster of epic proportion that was never really given its due,
I think, in the press in terms of what a fuck up it was.
Right. So, I mean, I wrote a lot of front page stories about it. I'm not sure how many people
paid attention to those. And I wasn't the only one who was doing it.
I read them. But the fact of the matter is that President Obama never came out and publicly
identified the Chinese as the one responsible here. And never.
did anybody in the U.S. government take responsibility for the bigger implications which you had just
right here, and people had their assignments to China, canceled, rescheduled, and so forth.
No one took responsibility for it because no one wanted to admit that the Chinese had all of this.
And one of the big themes of the book is, and I think one of the parts of the book that is most critical
of your former colleagues in the Obama administration, is that they consistently failed to name
the people who were doing these attacks.
So before the Russians went into the DNC, they attacked the White House, the State Department,
the Joint Chiefs of Staff, and they never paid a price for it.
So Vladimir Putin thought, well, they may have tried to throw us out of the State Department
and White House systems, but they never really punished us for it.
Why is he going to hesitate going into the DNC, which is a lot less sensitive than, say,
the White House systems.
Yeah.
And I thought you nailed why that there's some hesitates sometimes to name who did these
things because the intelligence services simply want to preserve their access to these systems
and to be able to identify who is doing what in China or Russia or what have you, whereas
law enforcement wants to prosecute or deter and the politicians or the political staff want to be
able to show the American people that were actually doing something about it.
So it is a complicated, fraught mess in every instance, and there's no rules of the road because, as you've written about, this is like a decade-old technology.
Well, also there are no rules of the road because it's probably the most over-classified territory that you can possibly imagine.
Yeah, and that's saying something.
And I don't think that's necessary.
I mean, in the nuclear age, every detail about how you built a nuclear weapon or where we kept them or who had authority to, you know, press the button.
Those were kept classified.
But we managed to have a rip-roaring, very public debate about how to use nuclear weapons.
And it ended up in a completely different place than it started because in the 50s,
MacArthur wanted to use nuclear weapons against the North Koreans and the Chinese.
Eisenhower said, though I don't think he believed, it was just another bullet in our arsenal.
And we ended up by the 80s when President Obama was in college and writing about the ban the bomb.
movements and so forth, that we would only use nuclear weapons as a matter of national survival.
That's a completely different picture of how you would use it and why President Obama wanted
to reduce their role, as he said consistently in American defenses, right?
That was a result of a very public debate.
We have never had the equivalent debate about cyber, in part because the government doesn't
want to have the debate so they won't discuss our capabilities, they won't discuss our
intentions, and most importantly, they won't discuss what's off limits.
I mean, you and I could put together a pretty good list, I think, over a beer of things
you wanted to be off limits to cyber attack around the world.
Hospitals, right?
Election systems, emergency services, nursing homes.
I mean, elementary schools.
We could come.
Yeah, the Hoover Dam, right.
We could come up with these.
If we came up with this and call me out on this, Tommy, if you think I'm wrong.
Let's say we put together that list.
And then you circulated it in what in your previous life they called the interagency, right?
The intelligence agencies would come back and say, well, wait a minute.
Do we really want to do this?
I mean, we had to interfere in elections in Italy in the 1940s to keep it from going communist.
We interfered in elections in Latin America in the 50s and 70s.
60s, we ran a coup in Iran in the 1950s.
Nitro-Zus, the program I talked to before, if you take out an entire country's power grid to try to win a war without firing a shot, you're necessarily going to hit hospitals and nursing homes and elementary schools.
So I'm not sure that the U.S. government would actually sign on to those restrictions.
Yeah, you're right.
David Sanger, I agree with you that there is far too little discussion and debate about these issues.
A great place to start is by buying the perfect weapon, war, sabotage, and fear in the cyber age.
And to read all of your stuff on the New York Times site because you guys are doing great reporting.
Thank you for talking with me about the book.
I could go on all day, but, you know, she should probably stop at an hour.
Well, you know, Tommy, I'm sorry we made you go out and hire a lawyer.
I feel really bad about it.
So if you ever make it back into D.C., the first drink is on me.
That's great.
And by the way, it was pro bono of us.
So don't feel that bad.
Oh, okay.
Feel bad for the guy
Zuckerberg Spader
who had to deal with me
for like a couple months.
Thank you, Eric Dillinski.
By the way, my lawyer,
pro bono.
You're the best.
Sanger, thank you again.
And I will take you up on that beer
the next time in D.C.
And congrats on a hell of a good book, man.
Thank you very much, Tommy.
The episode is over.
Delete it.
Download it again.
Give me two listens.
Thanks for tuning in.
