Podcast: Cyber Threats with David Sanger

Transcript

Listen: Ian brightens things up by talking cyber warfare with David Sanger.

TRANSCRIPT: Cyber Threats with David Sanger

David Sanger:

Putin knew that if you could go in and grab this stuff from the DNC, or his henchmen do, the chances that the US was going to retaliate...

Ian Bremmer:

Very low.

David Sanger:

Somewhere between zero and negative five.

Ian Bremmer:

Hi, I'm Ian Bremmer and welcome to the GZERO World Podcast. I'm host of the weekly show, "GZERO World" on public television. In this podcast, we share extended versions of the big interviews from that show.

Ian Bremmer:

This week I sit down with David Sanger of the New York Times to talk about how cyber warfare between nations is reshaping global power. And on Puppet Regime, Mark Zuckerberg unveils a brand new dating app. Let's get to it.

Announcer:

The GZERO World is brought to you by our founding sponsor. First Republic. First Republic, a private bank and wealth management company understands the value of surface, safety and stability in today's uncertain world. Visit firstrepublic.com to learn more.

Ian Bremmer:

David, great to be with you.

David Sanger:

Great to be back with you.

Ian Bremmer:

Let me start with fear. Are we more fearful than we should be? I mean, why don't we start with some ground truths, things that people are concerned about that they don't really need to be.

David Sanger:

The main import of hacks frequently is to create fear and doubt and confusion. And so when you think about why you're worried that someone may get inside your autonomous car, it's because one day you may pop in to go to the supermarket and discover it's driving you off a cliff, in which case you're unlikely to make use of your autonomous car. If you think when you go to the ballot box and pull the lever for your favorite candidate, and you actually think that maybe someone's gotten inside and your vote's going to look like it's for the candidate you hate...

Ian Bremmer:

That's rigged. Yeah.

David Sanger:

... you may not come out to vote. And over time, that erodes the institutions we've come to go trust. And that's why there are some things in the world that you don't basically want to go trust to an automated system. I mean, I don't understand what the problem is with having backup paper ballots.

Ian Bremmer:

Would you say that most of the concern is about fear as opposed to reality of the impact of the hacks from what we know so far?

David Sanger:

Yeah. We don't have any evidence so far, looking at the 2016 election, that votes were changed because of what the Russians did. We have suspicions and we have suspicions for lots of good reasons. I mean, if people looked at enough fake Facebook ads, there's some gullible portion of the population, or maybe not even very gullible, but people who thought they were just real ads whose opinions might have been changed.

David Sanger:

But to know whether or not the hack was successful, you have to crawl between the ears of thousands, if not millions of voters who were right on the edge between voting for Donald Trump and voting for Hillary Clinton and figure out whether a Facebook ad actually made the difference. More worrisome out of that hack was the part that we don't think really worked terribly well, but may next time.

Ian Bremmer:

Which is?

David Sanger:

Which was getting inside the voter registration systems. Now, most-

Ian Bremmer:

Which they did try to do with that.

David Sanger:

They did. And they succeeded at least in Arizona and Illinois. And we think in several other states.

Ian Bremmer:

Do we know this was the Russians in this case?

David Sanger:

That was the Russians. And there's no question it was a different group of Russians than the Russians who were doing Facebook, these people specialize. But it was in fact the Russians who went off and did that. And next time, it may not be next time, it could be somebody else.

Ian Bremmer:

We've heard for a long time, "No one plays defense well, on cyber." Is at least they're a mutually assured cyber destruction-

David Sanger:

There is not.

Ian Bremmer:

Because?

David Sanger:

You've gotten to one of the big, big differences between cyber and nuclear weapons. And one of the arguments of the perfect weapon is that the reason it's a perfect weapon is that you, unlike nuclear weapons, you can dial it up and you can dial it down. You can hide where the attack comes from. These are all incredibly valuable things to be able to go do.

David Sanger:

So the concept of mutually assured destruction comes from a nuclear age where if the Soviets threw missiles at our cities, we throw them at their cities and no one's going to start up because we know the end of this is going to be total wreckage. Cyber is the opposite. Because you can dial it up and dial it down, you can calibrate a cyber attack to be pretty sure that the government or corporation that's on the receiving end of it is not going to mount a significant retaliation.

David Sanger:

And basically the history of cyber in the past 5 or 10 years is one of attacks that do not get responded to. A good place to look at the question of why presidents are concerned about authorizing counter cyber attacks would be the attack on Sony a few years ago...

Ian Bremmer:

By the North Koreans.

David Sanger:

... by the North Koreans, and the attack by the Russians on the election system. Both of those happened under the Obama administration. So let's take them one at a time. The Sony hack, you may remember, was to try to prevent Sony from...

Ian Bremmer:

Releasing a movie.

David Sanger:

... releasing a really bad movie that I can save you two hours of your life by suggesting that you don't download. It's called "The Interview."

Ian Bremmer:

"The Interview."

David Sanger:

"The Interview."

Ian Bremmer:

Seth Rogen.

David Sanger:

Seth-

Ian Bremmer:

Do not watch that though.

David Sanger:

Do not. Okay.

Ian Bremmer:

Okay. David Sanger, two thumbs down.

David Sanger:

Two thumbs down.

Ian Bremmer:

Fair enough.

David Sanger:

Although I have to tell you, my book editor loved the movie and constantly tried to edit out my critiques of the movie.

Ian Bremmer:

Actually happened?

David Sanger:

I wouldn't let him do it. I said, "I got to draw the line of journalistic integrity here some..."

Ian Bremmer:

That's good.

David Sanger:

Okay. So in that case, the North Koreans did the only logical thing you do when you try to stop a movie, which is they wrote a letter to the secretary general of the United Nations, demanding that he stop the movie from coming out. We all know what influences the secretary-

Ian Bremmer:

This was Ban Ki-moon at the time.

David Sanger:

Yeah.

Ian Bremmer:

Who even among secretaries general would've been one of the weaker ones to send it to.

David Sanger:

Not only that, his influence in Hollywood was probably somewhat limited.

Ian Bremmer:

I would say so. Yeah.

David Sanger:

Yeah. So anyway, that didn't work, it turned out. So in the fall of 2014, they put malware inside the Sony computer systems, and they were enormously patient. They spent months mapping out just how the Sony systems worked. And when they decided to strike, which was right around Thanksgiving of 2014, so a few months later.

Ian Bremmer:

Before the movie had come out.

David Sanger:

The movie was supposed to be released at Christmas, they not only released some emails that they had stolen out of the system, which revealed vital secrets. Like the fact that Angelina Jolie, some people thought were difficult to work with on the set. This just in. But they melted down 70% of Sony's computing systems.

David Sanger:

All of a sudden, there were all these meetings in the White House. First of all, did we see this coming? Ah, no one saw it coming. Why? Because most of the targets in the United States were in private networks. The United States doesn't monitor private networks. If it did, we'd all be shrieking about the privacy invasion. Second, is this an act of war? Well, come on guys. We're talking about a Seth Rogen movie here. Okay. This isn't necessarily an act of war. In fact [President Obama]-

Ian Bremmer:

It's an American corporation.

David Sanger:

It's an-

Ian Bremmer:

It's worth a lot of money.

David Sanger:

It's an American corporation with a Japanese parent. And by the way, when I went to Japan and I asked everybody, "So what'd you guys do in holding your meetings about this attack?" They said, "We never even had any meetings about this attack." So it's an American corporation. President Obama said at one point it was an act of cyber vandalism. We don't call in the US government to go retaliate for acts of vandalism. You call local police and ask them to round up the teenagers. Right?

Ian Bremmer:

Yep.

David Sanger:

So they couldn't even sort of decide what it was. In the end because there had been a threat to go attack moviegoers, probably an empty threat, President Obama issued some fairly weak economic sanctions against the North Koreans that I bet the North Koreans never even noticed in the flood of other economic sanctions we've had against North Korea. For a day or two or three, the internet slowed to a dead crawl in North Korea.

Ian Bremmer:

In North Korea. Yeah.

David Sanger:

Thus, really pissing off the 10 people authorized to use the internet in North Korea. We think the Chinese probably did that. We didn't want to go into their systems in North Korea because to do it, we'd have to go through networks in China.

Ian Bremmer:

Chinese networks. Yeah.

David Sanger:

And somebody said, "So how do you explain this to the Chinese?" So that was example one. Example two was a Russia hack.

Ian Bremmer:

And the lesson from example one is we have no idea how to respond to this stuff?

David Sanger:

That's right.

Ian Bremmer:

Okay.

David Sanger:

And the example from lesson two is two years later, we still have no idea how to go respond to this stuff. So the Russians didn't start with the Democratic National Committee. The Russians started with attacks on the White House unclassified email system, the state department unclassified email system, the joint chiefs of staff. In each one we eventually detected they were there. In the case of the White House, as I report in the book, the NSA got into a two-week-long battle with the Russians to try to oust them, basically exorcise them from the system. The Russians kept coming back in, not because they were getting anything that great, but because they wanted to show that they could, to make us just uneasy enough about the security of our systems to say, "You guys can block off this path and we'll tunnel in over here."

David Sanger:

All of these happened prior to the DNC hack. Did the United States come out and name Russia as the aggressor? Never. Did it punish the Russians. No. Why not? "Well, it's espionage. They're coming in. We go in. It's like what people do. Shame on us for keeping our systems unsupported."

David Sanger:

If you're Vladimir Putin and you're looking at this record, what do you think? You think, "Well, they're not actually willing to make a big deal about the fact that I got into the White House system. So who's going to care about the DNC? Which is basically staffed by a bunch of college kids." So Putin knew that if you could go in and grab this stuff from the DNC, or his henchmen do, the chances that the US was going to retaliate...

Ian Bremmer:

Very low.

David Sanger:

Somewhere between zero and negative five.

Ian Bremmer:

So this all sounds pretty bad.

David Sanger:

That's because it's pretty bad.

Ian Bremmer:

But the part of the story that I need to ask you is, is there another half of this that is about Americans engaging in offensive cyber efforts against countries that we don't like? I mean, we are the world's largest economy. We're the most technologically sophisticated. We spend as much on our military as the next seven countries combined.

Ian Bremmer:

If I were going to guess, I would guess that the Americans have pretty significant cyber capabilities, at least offensively. Do you have any reason to believe either yes or no, I mean, either way, that the Americans aren't doing the kind of things externally that the Chinese, for example, are doing to the Americans? Not in response to what the Chinese are doing, but just as a matter of practice.

David Sanger:

So you've been reading what I write for many a year.

Ian Bremmer:

Yeah, sure.

David Sanger:

And a lot of what I write is about American offensive operations. The biggest, meanest and most famous of which was codenamed 'Olympic Games.' And that was the American and Israeli attack on the Iranian nuclear production facilities.

Ian Bremmer:

The Olympic Games attack. What year was that?

David Sanger:

Well, it started in about 2007 and 2008, the code escaped and became visible to the world in the summer of 2010. It was, if there's anything that's sort of the original sin of this whole era, and in fact that part of the book is called Original Sins, it's the Olympic Games hack.

David Sanger:

So let's remind you what this was about. People were afraid that if the Iranians surged ahead with their nuclear program, the Israelis would end up bombing it. Which they came very close to doing. We had to head that off because if the Israelis got into a war with Iran, it was only going to be days before we were sucked into it too.

David Sanger:

So President Bush, who had refused to give the Israelis bunker-busting bombs and so forth, help wrap them into the Olympic Games program, something Israelis had been working on themselves. It was a fascinating case because it was the first really sophisticated hack where we did through computer operations, something that previously we would've only been able to do by bombing or sending in saboteurs. So in a hillside in Tennessee, they built a replica of the Natanz Nuclear Enrichment site.

Ian Bremmer:

The Iranian site.

David Sanger:

The Iranian site. They stole a bunch of... They didn't stole. They borrowed a bunch of nuclear centrifuges. These are the machines that spin at supersonic speeds that we had gotten from Libya when we cleaned out the Libya nuclear program.

Ian Bremmer:

What the Iranians would be using to enrich uranium.

David Sanger:

Very similar stuff. They used this model to build an enrichment center and attack it with code. They speed up the centrifuges and slow them down, destabilize them, make them explode. They pack up the remnants of this stuff, put it on an airplane, fly it into Washington, drive it into the northwest gate of the White House, dump it out on the situation room conference table, invite President Bush down to take a look at the shards. He utters an extremely vivid term, and they're off and running to do the program.

David Sanger:

President Obama then inherited the program, expanded it, and then we all know what happened. The code got out. That turned a lot of journalists, myself included, on to what happened. And I ended up telling the story in a previous book of the decision making there.

David Sanger:

President Obama was concerned that once the United States got down the road of doing offensive cyber, every other state would turn around and use that as an excuse for their own offensive cyber operations. And guess what? It turned out to be right.

David Sanger:

The time I wrote that book six years ago, I couldn't find another sophisticated state on state attack, not criminal, not... But really sophisticated use of a state... Use of cyber by a state for political purposes. When I was working on "The Perfect Weapon," we stopped counting at about 250 state on state attacks, all within the past five or six years.

Ian Bremmer:

A few ideas from you on both a regulatory response from government, if you think one is possible, as well as kind of what the average person can do, how they should think about these things differently given the mistakes that are being made by governments-

David Sanger:

Well, let's start with what you could do. I mean, some of them are simple. If you don't use two factor authentication, that part where that bank sends a code to your cell phone before you pull money out and stuff like that, start doing that. It's not a 100% solution. If you're doing it in a state where the state owns the telephone company, they're going to be able to intercept those numbers as well. But it's a start. There are a bunch of sort of good hygiene things. The sort of 'safe sex program' for cyber that you can go do that will cut down on a lot of random stuff.

Ian Bremmer:

I don't believe we're going to have this talk right now, but okay.

David Sanger:

We're going to try not to. Because I don't want to shock you too much. Okay?

Ian Bremmer:

Yeah.

David Sanger:

But know that that will help you against criminals, vandals, teenagers, drive-by hackers. If you're really the target of the Chinese or the Russians or the Iranians or the North Koreans, none of that's going to work. But you need to do it for the same reason you need to put locks on your house and buy some insurance for yourself. Because there's a basic group of things that you got to do for yourself and you can't expect the government to do.

David Sanger:

Now, you don't expect by putting locks in your house and buying insurance that you're protecting against incoming missile attacks. And you're saying, "Thank you. I'm leaving that one to the US military." And that raises the question, "What does the government got to do? At what point do they have to step in?" And that is a completely unresolved issue within the United States government and makes it all the more amazing that a few months ago when John Bolton came in as the national security advisor-

Ian Bremmer:

He said to get rid of that guy that was running cyber.

David Sanger:

Not only the guy who was running cyber, he got rid of the whole cyber coordinator office that was supposed to go sort out all of these different issues.

Ian Bremmer:

In the White House?

David Sanger:

In the White House.

Ian Bremmer:

Yeah. Why'd he do that?

David Sanger:

I can't get a coherent answer out of them. The closest they've come is to say, "Cyber is part of everything." Of course, you and I know something that is part of everything, no one's in charge. The effort over the past 10 years has been, "Let's put some people in charge because this is really hard."

David Sanger:

Not only that, if you go into the intelligence community's assessment to Congress about what are the biggest threats to the United States... 2007, it was terrorism. And you read the 2007 report, you can't find the word "cyber." But for the past four or five years it's been, "Cyber is the number one threat ahead of nuclear proliferation, ahead of Al-Qaeda, ahead of ISIS, any form of terrorism, it's cyber." Great time, really great time to dismantle the White House coordinator job. So my first fear is the US government is actually less organized on this than we were 18 months ago.

David Sanger:

My second fear is that while our private cyber defenses have gotten better, we're all beginning to use that two-factor authentication, we know what spear phishing emails look like. We're going to be more careful. While we've gotten more careful, more things have gotten connected to the internet faster than we've come up the scale in protecting ourselves.

David Sanger:

So I'll give you some examples. People buy these little video cameras that you put around your house to give you some video surveillance. You can watch it on your iPhone. Make sure your house is safe. They're cheap, they're made in China, $50 a piece. They come with a built-in password called password or something similarly safe. They're almost impossible to reprogram the password. We've already seen one attack where somebody went in and masked together the computing power of hundreds of thousands of these video cameras and used it to attack a company in the United States. And it's basically using them as a bot.

David Sanger:

But we are connecting more and more and more things to the internet. If you walked into your house 10 years ago, you probably had maybe your phone, certainly a couple of computers connected to the internet. Today you walk into your house, your thermostat, maybe that refrigerator, certainly the car...

Ian Bremmer:

And the average person's...

David Sanger:

... certainly the Alexas.

Ian Bremmer:

... not going to be able to do anything to respond to that.

David Sanger:

No. And you're not going to go in and reprogram every password. You can't even remember all the passwords you have now.

David Sanger:

So one thing we could do of a regulatory effect is a minimum level of safety for any product that's going to be connected to the internet. And manufacturers will scream. But you know what? Car manufacturers didn't like it when we said, "You had to put in seat belts."

Ian Bremmer:

I knew you were going to use a seatbelt example. You're of that age.

David Sanger:

Of that age. And then they didn't like it when you're going to do airbags. They didn't actually bitch that much about putting in the rearview camera, but starting in a few months, every new car is going to have a rearview camera.

Ian Bremmer:

Connected to the internet.

David Sanger:

Connected to the internet. So why not say, "Here are some minimum safety standards before you can connect up to the internet."

Ian Bremmer:

David Sanger.

David Sanger:

Great to see you.

Ian Bremmer:

Thank you very much. That's our show this week. We'll be right back here next week with Toria Nuland, CEO of the Center for New American Security. An expert on all things Europe. Don't miss it. In the meantime, if you like what you've seen, check us out at gzeromedia.com.

Announcer:

The GZERO World is brought to you by our founding sponsor, First Republic. First Republic, a private bank and wealth management company understands the value of surface, safety and stability in today's uncertain world. Visit firstrepublic.com to learn more.