Copyright 2018 by David E. Sanger
All rights reserved.
Published in the United States by Crown, an imprint of the Crown Publishing Group, a division of Penguin Random House LLC, New York.
CROWN and the Crown colophon are registered trademarks of Penguin Random House LLC.
Library of Congress Cataloging-in-Publication Data is available upon request.
PREFACE
A year into Donald J. Trumps presidency, his defense secretary, Jim Mattis, sent the new commander-in-chief a startling recommendation: with nations around the world threatening to use cyberweapons to bring down Americas power grids, cell-phone networks, and water supplies, Trump should declare he was ready to take extraordinary steps to protect the country. If any nation hit Americas critical infrastructure with a devastating strike, even a non-nuclear one, it should be forewarned that the United States might reach for a nuclear weapon in response.
Like most things in Washington, the recommendation leaked immediately. Many declared it a crazy idea, and wild overkill. While nations had turned their cyberweapons against each other dozens of times in recent years, no attack had yet been proven to cost a human life, at least directly. Not the American attacks on Irans and North Koreas weapons programs; not the North Korean attacks on American banks, a famed Hollywood studio, and the British healthcare system; not the Russian attacks on Ukraine, Europe, and then the core of American democracy. That streak of luck was certain to end soon. But why would Donald Trump, or any of his successors, take the huge risk of escalating a cyberwar by going nuclear?
The Pentagons recommendation, it turned out, was the prelude to other proposalsdelivered to a president who values toughness and America Firstto use the nations powerful cyberweapons far more aggressively. But it was also a reminder of how quickly the fear of devastating cyberattacks has moved from the stuff of science fiction and Die Hard movies to the center of American defense strategy. Just over a decade before, in 2007, cyberattacks were missing entirely from the global Threat Assessment that intelligence agencies prepare each year for Congress. Terrorism topped that list, along with other post-9/11 concerns. Now that hierarchy has been reversed: For several years a variety of cyber threats, ranging from a paralyzing strike on the nations cities to a sophisticated effort to undercut public confidence in its institutions, has appeared as the number one threat on the list. Not since the Soviets tested the Bomb in 1949 had the perception of threats facing the nation been revised so quickly. Yet Mattis, who had risen to four-star status in a career focused on the Middle East, feared that the two decades spent chasing al Qaeda and ISIS around the globe had distracted America from its most potent challenges.
Great power competitionnot terrorismis now the primary focus of US national security, he said in early 2018. Americas competitive edge has eroded in every domain of warfare, including the newest one, cyberspace. The nuclear strategy he handed Trump gave voice to an inchoate fear among many in the Pentagon that cyberattacks posed a threat unlike any other, and one we had completely failed to deter.
The irony is that the United States remains the worlds stealthiest, most skillful cyberpower, as the Iranians discovered when their centrifuges spun out of control and the North Koreans suspected as their missiles fell out of the sky. But the gap is closing. Cyberweapons are so cheap to develop and so easy to hide that they have proven irresistible. And American officials are discovering that in a world in which almost everything is connectedphones, cars, electrical grids, and satelliteseverything can be disrupted, if not destroyed. For seventy years, the thinking inside the Pentagon was that only nations with nuclear weapons could threaten Americas existence. Now that assumption is in doubt.
In almost every classified Pentagon scenario for how a future confrontation with Russia and China, even Iran and North Korea, might play out, the adversarys first strike against the United States would include a cyber barrage aimed at civilians. It would fry power grids, stop trains, silence cell phones, and overwhelm the Internet. In the worst-case scenarios, food and water would begin to run out; hospitals would turn people away. Separated from their electronics, and thus their connections, Americans would panic, or turn against one another.
The Pentagon is now planning for this scenario because it knows many of its own war plans open with similarly paralyzing cyberattacks against our adversaries, reflecting new strategies to try to win wars before a shot is fired. Glimpses of what this would look like have leaked out in recent years, partly thanks to Edward J. Snowden, partly because a mysterious group called the Shadow Brokerssuspected of close links to Russian intelligenceobtained terabytes of data containing many of the tools that the National Security Agency used to breach foreign computer networks. It didnt take long for some of those stolen cyberweapons to be shot back at America and its allies, in attacks whose bizarre-sounding names, like WannaCry, suddenly appeared in the headlines every week.
Yet the secrecy surrounding these programs obscures most public debate about the wisdom of using them, or the risks inherent in losing control of them. The governments silence about Americas new arsenal, and its implications, poses a sharp contrast to the first decades of the nuclear era. The horrific scenes of destruction at Hiroshima and Nagasaki not only seared the national psyche, but they made Americas destructive capabilitiesand soon Russias and Chinasobvious and undeniable. Yet even while the government kept the details classifiedhow to build atomic weapons, where they are stored, and who has the authority to order their launchAmerica engaged in a decades-long political debate about when to threaten to use the Bomb and whether to ban it. Those arguments ended up in a very different place from where they began: in the 1950s the United States talked casually about dropping atomic weapons to end the Korean War; by the eighties there was a national consensus that the US would reach for nuclear weapons only if our national survival was at stake.
So far, there has been no equivalent debate about using cyberweapons, even as their destructive power becomes more evident each year. The weapons remain invisible, the attacks deniable, the results uncertain. Naturally secretive, intelligence officials and their military counterparts refuse to discuss the scope of Americas cyber capabilities for fear of diminishing whatever narrow advantage the country retains over its adversaries.
The result is that the United States makes use of this incredibly powerful new weapon largely in secret, on a case-by-case basis, before we fully understand its consequences. Acts that the United States calls cyber network exploitations when conducted by American forces are often called cyberattacks when American citizens are the target. That word has come to encompass everything from disabling the grid, to manipulating an election, to worrying about that letter arriving in the mail warning that someonemaybe criminals, maybe the Chinesejust grabbed our credit cards, Social Security numbers, and medical histories, for the second or third time.