Scoop Review of Books

War 3.0

Book Review
The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David E. Sanger (Scribe, $35)
Reviewed by Valerie Morse

perfect-weapon-cover-webIn October, the New Zealand government called out Russia for its “malicious cyber activity” with Government Communications Security Bureau director general Andrew Hampton telling Radio NZ’s Checkpoint programme that the government was “very concerned” about malicious internet activity. Reports of China’s intrusions into Australian companies have raised alarms in recent days, and now Chinese company Huawei has been banned from a role in building the new 5G network because its network systems are viewed as having back doors for the Chinese government. Two years ago, the NZDF said said that it wanted to acquire offensive cyber weapons, among a raft of other purchases and upgrades. Unlike warships, firearms and aircraft, however, there has been little public discussion and debate about the acquisition of this wholly new class of weapon and if the offensive, eg. proactive, use of cyber weapons is a good idea in terms of New Zealand’s foreign policy. The cyber war, it seems, has already begun.

In his new book, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, author David Sanger, the national security correspondent for the New York Times, aims to provide some much needed, and highly readable, background to the issues and pose some challenging questions for an informed debate.

Sanger’s opening is dedicated to providing some context into why cyber weapons are so useful; they are, he says, the “tools available between diplomacy and military power.” He explains that they represent a more credible threat than much more powerful weapons because they can be used without, “demonstrations of open military might that invited retaliation, escalation and international condemnation.”

The book’s first real world example is the development and release of Stuxnet, a piece of malware developed by the US and Israeli militaries to disable Iranian centrifuges that were enriching uranium. While Israeli Prime Minister Netanyahu was keen to bomb the Iranian’s facility, the Obama administration wanted to bring them to the nuclear negotiating table: the use of a cyber weapon to disrupt development was intended to forestall the use of an actual weapon. But following its success, Sanger argues, in a theme he comes to repeat time and time again in the book, the US government failed to openly discuss the use of cyber weapons and, in particular, what the limitations of those uses could and should be.

The reasons for the secrecy were and remain twofold: first, the US doesn’t want to be limited in its ability to use cyber weapons. Like its unwillingness to negotiate over arms control when it held the preeminent nuclear arsenal of the 1950s, the US empire will not willingly forego some possible advantage when it holds the dominant parts of the technology. The second reason is that any public discussion of cyber warfare may open up their security agencies’ methods and tools which compromise their ability to wage an attack.

Enter Edward J Snowden, a young security contractor, in 2013, who blew that cyber secrecy wide open.  Sanger reviews the heady days when Snowden was still on the run in Hong Kong; meanwhile, the world was reeling from the extent of the US National Security Agency’s surveillance apparatus and its myriad cyber programmes including Tailored Access Operations. This sophisticated unit “found ways to break into even the most wall-off, well-secured computer systems around the world.” Sanger discusses the development of US military and intelligence agency thinking about cyber weaponry, and the issue he sees as critical: what constitutes an act of war – the tapping into the country’s nuclear command centre? Its financial operations? Its power grid? Or is the critical issue, as he outlines, the massive hack of Sony Pictures by the North Korean regime over a bad Seth Rogan film in an attempt to shut down a film that insulted the leader Kim Jung Un? And how are these different from sabotage or theft in the cyber realm?

The Snowden leak and the Sony Pictures episode both provide an opportunity for Sanger to explore the relationships between US intelligence agencies and large US tech firms including Google and Apple. He reviews some of the better known instances arising from the Snowden leaks. Among these is the San Bernardino Case wherein the US FBI sought to gain access to an iPhone 5 that was carried by a person who had subsequently gone on to shoot people at a city council party ostensibly in support of ISIS. Apple refused to provide any assistance to crack the phone, and exposed more clearly some of the contradictory and competing aims of the US state and its leading tech companies. He juxtaposes these against the situation for Chinese tech companies, in particular Huawei; Sanger believes that it has far fewer qualms in acceding to the demands of the Chinese state, specifically vis-a-vis requirements for back doors for intelligence agencies.

Cyber weapons are, to some extent, the great leveler insofar as they don’t require the massive investment in manufacturing infrastructure that traditional weapons do. The US still retains the paramount position with its massive investment in cyber weapons, as with all other classes of weapons.

Yet, there are no better examples of the ability to exploit that leveling than Russia and North Korea. Sanger’s final examples explore the lead up the the 2016 US election and the development of the WannaCry malware, by the two countries respectively. He tells a haunting tale of how the Democratic National Committee (DNC) was advised that its systems were compromised by Russian hackers more than a year out from the election; however, at the time, neither the DNC nor the US state fully took on board or understood the implications of that such a hack might ultimately have on the outcome of an election. As for WannaCry, Sanger is clear that its originated with the NSA who had discovered a security fault with an older version of Windows. Apparently they preferred to keep that information to themselves in order to maintain that back door, rather than advising Microsoft of it in order that it could be fixed. They subsequently lost control of it, and North Korea’s exploitation of it was a preview into the cyber wars of the future with large-scale, random attacks.

At the end of the book, Sanger aims to provide some real policy solutions for the US, and while the author is hardly advocating disarmament, he is asking “whether reaching for such weapons with increasing frequency will continue to be a wise choice.” He cites an example from 1979 when the US military briefly believed that Russia had launched ICBMs before realising that a training tape had been inserted into the real advanced warning system. Today, the possibilities of an escalating response from a cyber attack need to be taken seriously. US President Trump indicated a willingness to use nuclear weapons to respond to a non-nuclear attack. The author notes that countries targeted by cyber weapons “would look at the implants in their networks and conclude, quite reasonably, that whoever put them there was planning a preemptive attack on their country.” This could put us squarely in a place where cyber weapons may very well trigger a catastrophic response, and in the end, it would not matter whether it was really happening or not.