David Sanger on the HBO documentary based on his book, "The Perfect Weapon".
Rick Howard: Hey all, Rick Howard here in this CyberWire special edition, an extended version of my interview with David Sanger, the noted New York Times journalist, three-peat Pulitzer prize winner, author and now producer for an HBO documentary about his most recent book, The Perfect Weapon: How the Cyber Arms Race Set the World Afire. The Cybersecurity Canon committee inducted his book into the Hall of Fame this past summer and the documentary started streaming on 16th October, on HBO and HBO Max.
Rick Howard: For those of you that don’t know, I am a huge fan of cybersecurity books as means to stay current in my profession and I am a founding member of the Cybersecurity Canon project that's designed to find and recommend books to the network defender community that are must reads. If anybody has ever asked me about what is the one book they should read to get a sense of the cybersecurity community, I would always recommend an old favorite Cuckoo’s Egg by Dr Clifford Stoll, published in the late 1980s. That book convinced a lot of people, back in those days, to pursue cybersecurity as a career, including me.
Rick Howard: But if there is any book that could potentially knock Cuckoo’s Egg off that lofty perch, it is Sanger’s Perfect Weapon. He has captured completely the seminal paradigm shift in thinking by nation states in this last decade, from cyber being a novelty item with limited capability and use, to cyber being a strategic tent pole lever as an instrument of political power and influence. Here is David explaining what the book and documentary is about.
David Sanger: Rick, the concept behind the book was that we went through years in which, in the national security world, people viewed cyber as the sort of interesting side, irregular warfare kind of thing that, you know, was sort of a nice thing to spend a half an hour learning about while you were spending the year or two years or your career learning about traditional national security, and what have we discovered in the time since? That it's not the sideshow, it is the show. That in a world in which no one wants to take on the U.S. military directly, for all the understandable reasons, it is suddenly possible to undercut American power, or another adversary's power, by using a short of war cyber related weapon, whether you are hacking into infrastructure, dams, voting machines, electric power grids, a financial system, or whether you're hacking into minds. The information wars that we've seen surrounding the 2016 election and begun to see in 2020, although here in the 2020 elections we'll discuss, we've got some new concerns that go beyond what the Russians did four years ago.
Rick Howard: Before 2010, most nation states, including the U.S., thought about cyber as a novel tool for a subset of cyber espionage requirements. By 2020 though, cyber has become the political lever to pull for nation states like China, Russia and the U.S., that are just short of actual warfare. These nations can do extreme damage to each other in the cyber arena without the fear that the action will escalate to an actual shooting war. For smaller nations, like North Korea and Iran, cyber has become the great playing field leveler. These smaller nations can exact the same kinds of damage as the big boys now at a fraction of the cost compared to trying to match the U.S. say in numbers of tanks, air craft carriers, and jets.
Rick Howard: From the HBO Documentary, here is Amy Zegart, She is a Senior Fellow at the Freeman Spogli Institute for International Studies at the Hoover Institution and Professor of Political Science at Stanford University.
Amy Zegart: The evolution of cyber has happened very quickly in terms of its importance to the United States and the organizational dimension of it in the U.S. government. In 2007, the Director of National Intelligence issues his threat assessment of all the threats against the country, the word cyber isn't in it a single time. Fast forward just a couple of years, you have the creation of Cyber Command. Fast forward a couple more years, it's 2012. Suddenly, cyber has gone from not being mentioned at all in those threat assessments to being one of the top three threats facing the United States.
Rick Howard: The event that started this monumental change is known as Operation Olympic Games, the code name that the U.S. used to classify the cyber attacks targeting the Iranian nuclear program that became known to the public as Stuxnet.
David Sanger: Well, Stuxnet was an American Israeli effort to undermine Iran's nuclear program by going after the centrifuges, the high speed machines they use to enrich uranium. Now, in a previous age Rick, you would have done that either by bombing the centrifuge center from above or sending in saboteurs, but both of those methods, contemplated at the end of the Bush administration by the U.S. and by Israel, would have had one thing in common. They would have started another war in the Middle East. So, a group of intelligence officials and generals came to Bush, toward the end of his term, and said, sir, we've got another way to get at this. We can put code into the machines that control the Iranian centrifuges at Natanz and blow them up, and Bush looked at them and said, "Yeah, sure." But he authorized them to go ahead and do the experiment of trying to do this in a test system in the United States.
David Sanger: So they took a bunch of the centrifuges that we got from Libya when it gave up its nuclear program. They had the same kind that Iran has. No, no accident the Pakistani scientist, A.Q. Khan, sold them both to them, and put them into an underground hillside location in Tennessee, applied the code to it, made some blow up, brought the shards back to the Situation Room, invited Bush down. He looked at them and well, what he said, I can't say on a nice broadcast like the CyberWire, but let's say that it would be described in The New York Times as a vivid and colorful Texas epithet.
Rick Howard: That's excellent.
David Sanger: Which they took as permission to go out and put them in in Iran and then, of course, famously the code got out and that's what you call Stuxnet. Nobody in the U.S. government calls it Stuxnet. They called it Operation Olympic Games, which was one of the most classified operations they had going. Once the code got out in the summer of 2010 it began to spread around the world, and that set me and some of my colleagues off on a big journalistic hunt to figure out where this code came from and eventually, it took a year and a half of reporting, we tracked it back to the Bush administration and then handed off to the Obama administration and meetings in the Situation Room where they were picking targets in Iran, the way Lyndon Johnson used to pick targets for Vietnam in the same room.
Rick Howard: When President Bush decided to approve Olympic Games, it was a good solution for him at the time. He could potentially slow down the Iranian nuclear program and not have to roll the tanks into Iran. What he didn’t account for is the idea that this action opened the floodgates for other nation states to emulate. Here's David, from the documentary this time, and you can tell that because there's music playing in the background.
David Sanger: They've crossed the Rubicon. United States had basically legitimized the use of cyber as a weapon against another country, against whom you had not declared war. It pushed the world into an entirely new territory.
Jason Healey: Once the Iranians took the punch, Iran said, oh, that's the way the game is played. Alright, I get this now and then they started to unleash against the United States.
Elvis Presley [: [SINGING] Bright light city gonna set my soul, gonna set my soul on fire.
Rick Howard: That was Jason Healey from the documentary. He is a Senior Research Scholar at Columbia University’s School for International and Public Affairs, specializing in cyber conflict, competition and cooperation and a little bit of Elvis to get us in the mood for the Iranian cyber attacks against the Sands Casino in Las Vegas.
David Sanger: Right after Stuxnet, we saw the Iranians attacked Saudi Aramco, the world's largest producer of oil. They lost about 30,000 computers. Iran's cyber groups improved. By 2012 they were going after financial centers in the United States, though it took the U.S. intelligence operations a long time to figure out where that was coming from. So, Bank of America, Citigroup, all those, that's when they sort of first got religion about the need to protect their networks.
David Sanger: There's a scene in the documentary in which Sheldon Adelson, who's a big Republican contributor, goes to Yeshiva University and is giving a talk one day about the Iranian nuclear program, and he says, you know what we ought to do, we ought to take a nuclear bomb and explode it in the Iranian desert and sort of classify it and then send the Iranians a note and say to them, this is what's going to happen to Tehran if you don't turn over your nuclear program. Now, I teach national security stuff in a graduate course at the Kennedy School at Harvard. I would not call this the most subtle strategy that I've ever heard, but, you know, it's a strategy.
Rick Howard: When I heard him say that on the documentary, I said, oh, yeah, that's going to turn out well.
David Sanger: Yeah, so it turns out that not only you were listening to him say it, but who knew the Iranians get YouTube and they watched him say it, Sheldon Adelson, desert sands. Wait a minute, this guy owns a casino doesn't he? He does, he owns the Sands Casino. And what do you know, about three months later, his employees walked in and discovered their hard drives had been wiped clean.
Rick Howard: The significance of the Iranian Sands Casino cyber attack is that a small nation state, who doesn’t have the military power of a US or Russia or China, can take out a small city via cyber in a country of one of their enemies. Because casinos are really small cities. Besides the gambling, they have restaurants, entertainment, shops, a police force, medical facilities, power generation and an entire host of administration that is equivalent to cities of say Baltimore or San Antonio.
Rick Howard: But since the Iranian Sands Casino cyber attack worked, the North Korean leadership decided they would try their hand in a similar way, to pressure a Hollywood studio, Sony, from releasing a movie that was critical of its leader. The North Korean hacker group, Guardians of the Peace, or the North Korean military intelligence group, took offense to the movie, "The Interview," written and directed by Seth Rogen and launched a crippling cyber attack against Sony’s IT infrastructure. But they also took a new step. Before they destroyed everything, they collected embarrassing documents about movie stars and directors and Sony executives and dumped them to the press and other nefarious sites. Here is Dmitri Alperovitch, the co-founder of CrowdStrike and Amy Zegart again of Stanford University.
Dmitri Alperovitch: We have seen criminal hackers and hacktivists use this hack and dump technique to intimidate victims on a small scale. That was the first time we have seen a nation state do it very effectively. The first thing that the North Koreans did was to give it to reporters and then when they've exhausted that channel they gave it to WikiLeaks.
Amy Zegart: This was all very valuable information to the company. Trade secrets like scripts before movies were released, detailed contract information about what had been paid to whom.
Rick Howard: From small nations, like Iran and North Korea, attacking the Sands Casino and Sony, the documentary shifts to one of the big powers: Russia. For the last decade, Ukraine has been the brunt of the Russians practicing their war-fighting philosophy called Gerasimov, essentially war that merges conventional attacks, terror, economic coercion, propaganda and cyber. The culmination of that effort led to one of the most damaging cyber attacks of all time: NotPetya. Here's David again.
David Sanger: So NotPetya was probably the most damaging hack ever done in terms of monetary damage. It was designed to attack Ukraine and bring it to a halt by going after an accounting system that all Ukrainian businesses are required to use by the tax authorities. But I think it ran on like Windows XP and, you know, that's mostly what people in Ukraine were using and not all of those. Again, I know you'll be shocked. Not all of those were legal copies.
Rick Howard: Oh, again, shocked, like you said.
David Sanger: Yeah. I happened to be in Ukraine when NotPetya was hitting and I had gotten in late to Kiev and I walked across the street from my hotel because all the restaurants in the hotel were shut down and remember the days when we used to fly around the world and travel?
Rick Howard: No, I can't, it's all fuzzy.
David Sanger: And I had no Ukrainian cash with me and I tried to pay for, you know, my dinner with a credit card. There wasn't a credit card machine in the country that was working.
Rick Howard: In the documentary, a number of experts chime in to talk about the NotPetya attacks. In order of appearance, here they are: Dmitry Shymkiv, who was Ukraine’s Deputy Head of Presidential Administration at the time, Dmitri Alperovitch again, the co-founder of CrowdStrike, Michael Riley of Bloomberg News and Amy Zegart again, of Stanford University.
Dmitry Shymkiv: It was June 2017. I'm deputy head of the presidential administration. Took a few days vacation to drop my kids to the summer camp and in the morning I start receiving text messages from my team. They think Ukraine is under attack. Our infrastructure is registering attacks. The virus is destroying computers. You know, ATM machine were not working. Hospitals reported that their computers being down. TV station, grocery stores. It was devastating. It was spreading like fire.
David Sanger: Ukraine is Vladimir Putin's petri dish. It's where he experiments on every single technique that he ultimately ended up using in the United States, breaking into emails and making them public, sowing chaos with this information.
Dmitry Shymkiv: Russia was constantly testing different strategies and different approaches in Ukraine. Attacks on the electrical grid, 2015, 2016. Attack on the transportation infrastructure, Odessa Airport, Ukrainian subway in Kiev. You don't see the regular war, but war is taking place and it's devastating.
Dmitri Alperovitch: With this NotPetya attack, what the Russians didn't count on is that the spreading algorithms that they put in were so aggressive that it wouldn't just contain itself to the network of one company.
Unknown male: Any firms with any links to Ukraine are being contaminated by this contagious virus.
Dmitri Alperovitch: It would quickly jump out and compromise contractors, other networks that you may be connected with.
Michael Riley: It escapes the box and it begins to hit the corporations and companies all around the world.
Amy Zegart: Maersk Shipping was one, FedEx was another. They lost hundreds of millions of dollars of business just from the loss of business operations and the money they had to pay to re-mediate the damage to their systems.
Rick Howard: As the Russians gained experience and success in Ukraine, they started to include the U.S. as a target. Here's David again.
David Sanger: Well, against us, we saw in the early attacks on the Pentagon, which really are what resulted in the creation of Cyber Command, and we take you through that a little bit in the documentary. But they also went after the email systems at the White House, the Joint Chiefs of Staff, the State Department. They got into the State Department systems, in fact, to the point the State Department had to close down their systems at various points and all of these led the United States to do absolutely nothing in return, and so if you're Vladimir Putin and you're thinking, OK, if these guys aren't going to defend the White House system, why would we possibly think that they would care about the Democratic National Committee? And the answer is that Putin concluded they probably won't and you know what's really remarkable is Cyber Command came up into being, they were focused on things like taking out ISIS, which was definitely a big issue in 2016, and they really weren't looking internally at our election system and so this combination of hack and leak, of breaking into the DNC, of make this stuff public, of the Facebook ads, the influence campaign. It's not like they had their radar off, the way the U.S. military did in Pearl Harbor, Rick, they hadn't even built the radar. Now, we're doing better this year because they have built the radar but, of course, the Russians are trying some new and different techniques.
Rick Howard: Crowdstrike was the incident response firm that the DNC called when they realized they were in trouble. Here is Dmitri Alperovitch again, describing what they found.
Dmitri Alperovitch: The call came out on Friday, so it took us a few days for us to go into the network and find infected machines on the network. This wasn't just on one system, there were hundreds of systems that were being impacted. We start looking at the malware and immediately realizing that this was malware we had seen many times before, that we had high confidence attribution to the GRU, the Russian military intelligence.
Dmitri Alperovitch: We're seeing them spread from system to system, touch files, take those files out of the network, stealing in data, monitoring everything. You can't just shut down one machine because they're everywhere. So you have to shut everything down and spend several days rebuilding all the infrastructure. We told the DNC, when do you want us to do this remediation? At the time the primaries were in full swing. Hillary Clinton had not yet locked down her nomination. So they said, let's plan four or five weeks from now when the primaries are over and we're not under the gun. Waiting a few weeks did not seem outrageous. Also, at that period of time, the Russians continued stealing documents and we're sort of helplessly watching them.
Rick Howard: And then the Russians ran a play from their dogeared play-book, that they have been using in Ukraine for a while now, a play that the North Koreans started with the Sony attacks. The Russians started dumping embarrassing documents to the public and began pitting opposite sides against each other on social media in a coordinated influence operation. Here is Alex Stamos, an Adjunct Professor at Stanford’s Freeman-Spogli Institute, and visiting scholar at the Hoover Institution, but during the 2016 presidential election, he was the Facebook CSO.
Alex Stamos: During the election, we had a dedicated team at Facebook whose job it was to look for Russian actors and we had found GRU activity, we'd found DC leaks. We had found them pushing disinformation, but not really at scale and we really didn't understand what was behind the vast majority of this fake news. But right after the election, we took all of the political ads that were run in the United States in the year before the election and then we figured out all the accounts that were possibly tied to it. So, this is the people who ran the ad, but it's then also people who use the same computer as the person who ran an ad or people who have used the same phone as the person who ran the ad and that's for every single one of those accounts we looked for possible links to Russia. We start pulling that thread and then we eventually find this cluster that we can all link together and that was the Internet Research Agency.
Rick Howard: Which brings us to the end of my interview with David Sanger about his excellent book and now his excellent documentary. Let him have the last word on the subject.
David Sanger: So, we brought it sort of up to date. You'll see a lot of different people talking about what it's like to have been on the receiving end of this and the sort of fog of war. You've got everyone in this documentary from Hillary Clinton and John Podesta, who sat down to talk about the 2016 election, to Seth Rogen, who was the star of, of course, The Interview, and he is very funny, I do have to say, and you'll see people like Eric Rosenbach, co-director of Harvard's Belfer Center, but was the chief of staff to Ash Carter at the Pentagon when he was Secretary of Defense, talking about the calculus that you make as you're under cyber attack or as you're trying to think about what the U.S. can go do. So, the idea is to bring you in at a very human level to the kind of decisions that have to be made when you're on the receiving end and when you're on the offensive end.
Rick Howard: The book and now documentary is called The Perfect Weapon: How the Cyber Arms Race Set the World Afire. HBO and HBO Max started streaming the documentary on 16 October 2020 and many thanks to David Sanger for being a guest of this show. From everyone here at the CyberWire, I am Rick Howard. Thanks for listening.