From the bookshelf: ‘The perfect weapon’
15 Sep 2018|

The new cold war is being fought in cyberspace on a continuing basis and with ever more sophisticated technologies.

The Western powers, principally the United States and its allies, confront growing intrusions from adversaries ranging from Russia and China to Iran and North Korea.

The West doesn’t necessarily have clean hands either. In particular, the NSA (National Security Agency) ranges far and wide in the cyber domains not only of adversaries but often of allies. In short, everyone is spying on everybody else; the difference is that some powers are unrestrained and therefore far more hostile in their endeavours than others.

This prevailing situation in cyberspace is captured brilliantly by David E. Sanger in his new book, The perfect weapon: war, sabotage, and fear in the cyber age (Crown, New York, 2018). Sanger is a respected journalist with the New York Times who teaches policy on national security at Harvard’s Kennedy School of Government. He also contributes to CNN.

Two of his earlier books, The inheritance (2009) and Confront and conceal (2012), focused on Obama-era national security challenges and American foreign policy. They were both bestsellers and well received. But this new book breaks open the digital space for a broad audience. It’s not only instructive on cyber challenges and confrontations, but can be highly entertaining.

For example, Sanger, who spoke at the recent Aspen Security Forum, details a private-sector initiative to hold Chinese cyber warriors accountable. A former US Air Force intelligence officer, Kevin Mandia, was tracking Chinese intrusions. His cybersecurity company, Mandiant, traced the hackers to Pudong, across the Huangpu River from Shanghai. A certain location came into view.

Sanger writes:

The boxy twelve-story building along Datong Road on the outskirts of Shanghai was easy to overlook. In the jumble of a city of 24 million people—China’s most populous, and among its most high-tech—it was just another bland, white high-rise. The only hint that the unmarked building was actually a base for the People’s Liberation Army and its pioneering cyber force, Unit 61398, came if you looked at the protections surrounding the tower—or the security forces who came after you if you dared to take a picture of it.

Unit 61398 specialised in breaking into the private networks of Fortune 500 companies which were sometimes clients of Mandia. Mandia’s staff, usually former intelligence officers and cyber professionals, did the extraordinary and broke into the Chinese network and activated the cameras attached to the laptops of the hackers. They could then watch the hackers in real time going about their work.

Sanger observed this activity courtesy of Mandia and saw the hackers wearing leather jackets or undershirts, pausing over lunch to look at sports scores, contact their girlfriends or even watch pornography. But the hackers were expert thieves who moonlighted for Chinese companies as well as doing the bidding of their government. Sanger’s conclusion is compelling:

This is what the new cold war between the world’s two largest economies looked like up close. It bore no resemblance to the more familiar conflicts of past decades: No one was arguing over the fate of Taiwan, or bombarding the tiny islands of Quemoy and Matsu, as Mao did in 1958, prompting the United States to reinforce its Seventh Fleet and consider whether it was worth going to war. For while China was still interested in staking its territorial claims—starting in the South China Sea—and keeping America at bay, it understood the keys to re-emerging as a global power after a centuries-long hiatus: artificial intelligence, space technology, communications, and the crunching of big data. And of course, outmanoeuvring its only real challenger, the United States.

As with all state actors, China has consistently denied that cyberhacking is state-sponsored. Donald Trump has actually downplayed the probability of Russian state cyberhacking, claiming that it could be the work of an overweight loner in a basement.

And here the traffic is not all in one direction. James Comey, in his revealing book A higher loyalty, details his determination to bring to an end an NSA program called Stellar Wind when he was acting US attorney general during the George W. Bush administration. Comey formed the view, much to the rage of then vice president Dick Cheney, that Stellar Wind was illegal because it involved the domestic surveillance of Americans. Comey was vindicated and the program was cancelled.

The difference, which is obvious, is that there are some rules which govern American cyber warriors; although Edward Snowden, in his treachery, served to demonstrate just how far the US was prepared to go in its global surveillance, which included eavesdropping on a staunch US ally, German Chancellor Angela Merkel, among many others.

Bluntly, however, there are no effective laws which govern cyberhacking originating in St Petersburg or Shanghai—or, for that matter, in Tehran or Pyongyang. This has allowed the development of impressive cyber technologies by adversaries and potential adversaries of the West. The North Koreans are often dismissed in popular media as crude and clumsy, but their hack of Sony Pictures following the production of the 2014 film The Interview was a model of patience and penetration.

Sanger’s book is convincing in its analysis of the impact of cyberwarfare, from Russian hacking which shut down Ukrainian power systems in December 2015 through to the probable US–Israeli ‘Stuxnet’ program, codenamed ‘Olympic Games’, which did massive damage to the Iranian nuclear effort.

Many questions arise as to the impact of cyberweapons in the future. First, given that cyberweapons can be deployed with relatively little cost, what is the appropriate deterrent? Admiral Michael S. Rogers, chief of both the NSA and US Cyber Command, referred to Russian President Vladimir Putin in an answer to the US Senate Armed Services Committee:

Putin … has clearly come to the conclusion that there’s little price to pay here and that therefore ‘I can continue this activity.’ Russia was not alone in reaching this conclusion. Indeed, many adversaries used cyberweapons precisely because they believed them to be a way of undercutting the United States without triggering a direct military response. North Korea paid little price for attacking Sony to robbing central banks. China paid no price for stealing the most private personal details of about 21 million Americans.

Second, at what point should state actors respond to cyberhacking by employing identical means to disrupt or degrade an aggressor? The potential for this kind of conflict to spiral out of control can’t be discounted.

Finally, when does a cyberattack actually constitute an act of war, involving not only a cyber response, but a kinetic response using all available capabilities, including nuclear weapons?

These questions require definitive answers and Sanger’s book travels a long way in illustrating the realities and dilemmas of global cyber conflict as it exists and evolves in the present day. It’s an invaluable contribution to a better understanding of the struggle for supremacy in cyberspace and the pressing need for international protocols to bring some sense of order to the current burgeoning conflict.