David Sanger of the NY Times is giving a Shorenstein Center lunchtime talk about covering security.
NOTE: Live-blogging. Getting things wrong. Missing points. Omitting key information. Introducing artificial choppiness. Over-emphasizing small matters. Paraphrasing badly. Not running a spellpchecker. Mangling other people’s ideas and words. You are warned, people.
David begins by honoring Alex Jones, the retiring head of the Shorenstein Center with whom he worked at the Times.
David tells us that he wrote his news analysis of the Netanyahu speech to Congress last night, before the talk, because people now wake up and expect it to read about it. His articles says that a semantic difference has turned into a strategic chasm: we’ve gone from preventing Iran from having the capability of building a weapon to preventing Iran from building a weapon. Pres. Obama dodged this question when David asked him about it in 2010. If the Iran deal goes through, says David, it will be the biggest diplomatic step since Nixon went to China.
Probably six years ago David had just come back from writing The Inheritance, which disclosed that GW Bush had engaged in the first computer attacks on Iran. He came back to the newsroom saying that we need to start thinking about the strategic uses of cyber as a weapon, beyond worrying about kids in a basement hacking into your bank account. This was an uphill struggle because it’s extremely difficult to get editors to think about a nontraditional form of warfare. Drones we understand: it’s an unmanned aircraft with familiar consquences when it goes wrong. We all understand nuclear weapons because we saw Hiroshima. Cyber is much harder to get people to understand. To make matters worse, there are so many different kinds of cyber attacks.
When you think about cyber you have to think about three elements, he says. 1. Cyber for espionage, by states or by thieves. 2. Cyber for economic advantage, on the cusp between business and govt. E.g., Chinese steal IP via operations run out of the Chinese Army. The US thinks that’s out of bounds but the Chinese think “What’s more important to our national interest than our economy? Of course we’ll steal IP!” 3. Cyber for political coercion, e.g. Stuxnet. This tech is spreading faster than ever, and it’s not just in the hands of states. We have no early concept of how we’re going to control this. We now claim Iran was behind cyberattacks on Las Vegas casinos. And, of course, the Sony hack. [He recounts the story.] “This was not a little drive-by attack.”
He says he would have predicted that if we got into a cyber war with another country, it would be an attack on the grid or some such, not an attempt to stop the release of a “terrible” commercial movie. “We’re in a new era of somewhat constant conflict.” Only now is the govt starting to think about how this affects how we interact with other companies. Also, it’s widened the divide Snowden has opened between Silicon Valley and the govt. Post-Snowden, companies are racing to show that they’re not going to cooperate with the US govt for fear that it will kill their ability to sell overseas. E.g., iPhone software throws away the keys that would have enabled Apple to turn over your decrypted data if the FBI comes along with a warrant. The head of the FBI has objected to this for fear that we’re entering a new era in which we cannot get data needed to keep us secure.
The govt itself can’t decide how to deal with the secrecy around its own development of cyber weapons. The Administration won’t talk about our offensive capabilities, even though we’re spending billions on this. “We can’t have a conversation about how to control them until you admit that you have them and describe the circumstances under which you might use them.”
Q: [alex jones] Laypeople assume that there are no secrets and no privacy any more. True?
A: By and large. There’s no system that can’t be defeated. (Hillary Clinton must have come to be so suspicious of the State Dept. email system that she decided to entrust it to gmail.) There’s no guaranteed system. We’d have to completely redesign the Internet to make it secure.
Q: [alex] What’s the state of forensics in this situation?
A: It’s not a sure thing. All govts and law enforcement agencies are putting a lot of money into cyber forensics. In the nuclear age, you could see where the missiles are coming from. Cybercrime is more like terrorism: you don’t know who’s responsibile. It’s easy to route a cyberattack through many computers to mask where it’s coming from. When the NYT was hacked by the Chinese govt, the last hop came from a university in the South. It wouldn’t have been so nice to have assumed that that little university was actually the source.
The best way to make forensics work is to have implants in foreign computing systems that are like little radar stations. This is what the NSA spends a lot of its time doing. You can use the same implant for espionage, to explore the computer, or to launch an attack. The US govt is very sensitive about our questions about implants. E.g., suppose the NSA tells the president that they’ve seen a major attack massing. The president has to decide about reacting proactively. If you cyber-attack a foreign computer, it looks like you struck first. In the Sony case, the President blamed North Korea but the intelligence agencies wouldn’t let him say what the evidence was. Eventually they let out a little info and we ran a story on the inserts in NK. An agency head called and officially complained about this info being published but said more personally that releasing the fact that the govt can track attacks back to the source has probably helped the cause of cybersecurity.
Q: Are there stories that you’re not prepared to publish yet?
A: We’ve held some stuff back. E.g., e were wondering how we attacked Iran computers that were disconnected from the Net (“air gap”). If you can insert some tech onto the motherboard before the product has been shipped you can get access to it. A Snowden document shows the packaging of computers going to Syria being intercepted, opened, and modified. Der Spiegel showed that this would enable you to control an off-line computer from 7 miles away. I withheld that from the book, and a year or two later all that info was in the Snowden docs.
Q: [nick sinai] Why haven’t the attacks on the White House and State Dept. been a bigger story?
A: Because they were mainly on the unclassified side. We think it was a Russian attack, but we don’t know if was state-sponsored.
Q: How does the Times make tradeoffs between security and openness?
A: I’m not sure we get it right. We have a set of standards. If it would threaten a life or an imminent military or intelligence operation we’re likely not to publish it. Every case is individual. An editor I know says that in every case he’s withheld info, he’s sorry that he did. “I don’t blame the government” for this, says David. They’re working hard to prevent an attack, and along comes a newspaper article, and a program they’ve been working on for years blows up. On the other hand, we can’t debate the use of this tech until we know what it can do. As James Clapper said recently, maybe we’re not headed toward a cyber Pearl Harbor but toward a corrosive series of attacks, institution by institution.
Q: At what point do cyberattacks turn into cyberwarfare?
“Cyberwarfare” is often an overstated term. It implies that it might turn into a real-world war, and usually they don’t. Newspapers have to decide which ones to cover, because if you tried to cover them all, that’s all you’d cover. So the threshold keeps going up. It’s got to be more than stealing money or standard espionage.
Q: Will companies have to create cyber militias? And how will that affect your coverage?
A: Most companies don’t like to report cyber attacks because it drives down their stock market valuation. There’s a proposed law that would require a company to report cyber attacks within a month. The federal govt wants cybersecurity to come from private companies. E.g., JP Morgan spends half a billion dollars on cyber security. But there are some state-sponsored attacks that no private company could protect itself against.
Q: How does US compare with our enemies? And in 30 yrs how will we remember Snowden?
A: The usual ranking puts US on top, the British, the Israelis. The Chinese are very good; their method seems to be: attack everyone and see what you get. The Russians are stealthier. The Iranians and North Koreans are further down the list. A year ago if you’d told me that the NKs would have done something as sophisticated as the Sony attack, I would have said you’re crazy.
I have no problem believing both that Snowden violated every oath he took and multiple laws, and that the debates started by the docs that he released is a healthy one to have. E.g., Obama had authorized the re-upping of the collection of metadata. After Snowden, the burden has been put on private companies, none of which have taken it up. Also, Obama didn’t know we were listening in on Angela Merkel. Now all those programs are being reviewed. I think that’s a healthy kind of tradeoff.
Q: What enduring damage has Snowden done?
A: The damage lies between immediate to enduring. Immediately, there were lots of intelligence programs that had to be redone. I don’t see any real damage outside of a 5 year frame.
Q: Might there be a deal that lets Snowden come home?
A: A year ago there was interest in this in order to find out what Snowden knows. But now the intelligence services feel they have a handle on this.
Q: Netanyahu speech?
A: Politically he probably did a little more damage to his cause than good. Some Dems feel coerced. On the substance of it, I think he made the best case you can make for the two biggest weaknesses in the deal: 1. It doesn’t dismantle very much equipment, so when the deal’s term is over, they’ll be up and running. 2. We’re taking a bet that the Iranian govt will be much easier to deal with in 10-15 yrs, and we have no idea if that’s true. But Netanyahu has not put forward a strategy that does not take you down the road to military confrontation.